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THE THREAT TO AMERICANS’ PERSONAL IN- 
FORMATION: A LOOK INTO THE SECURITY 
AND RELIABILITY OF THE HEALTH EX- 
CHANGE DATA HUB 


Wednesday, September 11, 2013 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Washington, DC. 

The subcommittee met, pursuant to call, at 2:02 p.m., in Room 
311, Cannon House Office Building, Hon. Patrick Meehan [Chair- 
man of the subcommittee] presiding. 

Present: Representatives Meehan, Rogers, Marino, Perry, Clarke, 
Vela, and Horsford. 

Also present: Representative Jackson Lee. 

Mr. Meehan. The Committee on Homeland Security, Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies will come to order. 

The subcommittee is meeting today to examine the security and 
reliability of the Health Exchange Data Hub and the existence of 
any threat to Americans’ personal information. 

Before beginning my opening statement, I think it is only appro- 
priate on a day like today that we take a moment and join in a 
moment of silence, remembrance of the victims of September 11 as 
we recognize the twelfth anniversary of that terrible tragedy. 

I thank you. 

I now recognize myself for an opening statement. 

Today’s hearing, “A Threat to Americans’ Personal Information: 
A Look into the Security and Reliability of the Health Exchange 
Data Hub” is the second hearing on this issue in less than 2 
months by this committee or associated with this committee. 

The Federal Data Services Hub was established under the rule- 
making for the Patient Protection and Affordable Care Act. Its pur- 
pose is to be the one-stop shop to connect applicants to the Afford- 
able Care Act exchanges. 

The hub will connect to multiple Federal agencies including the 
Social Security Administration to verify an applicant’s Social Secu- 
rity number, the IRS, to verify income and really not just for an 
applicant, but for an applicant’s spouse and children and others. 

The Department of Homeland Security to verify citizenship and 
immigration status as well as other Federal agencies to determine 
an applicant’s eligibility for Federal health insurance subsidies, the 
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key aspect of it to be the ability to articulate the qualification, not 
just for subsidies but amount of subsidies. 

Personally identifiable information for any applicant and their 
families will pass through the data hub from these various agen- 
cies. In fact, over 20 million Americans are expected to enter the 
exchange over the next 5 years, and I know we will hear testimony 
about what the scope of this exchange is expected to be. 

This information will include an applicant’s name, address, date 
of birth. Social Security number, household income, health status 
including whether an applicant is pregnant or has a disability, and 
will be stored in the exchange system of records for up to 10 years, 
stored in the system for up to 10 years. 

The Government Accountability Office in a June 2, 2013 report 
called the hub, “a complex undertaking involving the coordinated 
actions of multiple Federal, State, and private stakeholders.” The 
report concluded that, “a timely and smooth implementation by Oc- 
tober 13, 2013 cannot yet be determined.” 

In July, this subcommittee convened a joint hearing with the 
House Oversight and Government Reform Subcommittee. We heard 
directly from Centers for Medicare and Medicaid Services, Director 
Marilyn Tavenner, and acting commissioner of the IRS, Daniel 
Werfel, among others on the implementation of the hub. 

My personal take-away from that hearing is that CMS was not 
ready to embark on this giant responsibility. Since our hearing, the 
Health and Human Services inspector general conducted a report 
on the implementation of the hub from a security perspective. 

The IG report stated that the several critical tasks remained to 
be completed in a short period of time. That is why we are here 
today, to examine CMS’ progress in securing America’s personal in- 
formation. 

I am thankful to the inspector general who sent a representative 
to participate in today’s hearing. As we sit just 20 days removed 
from the exchanges and the data hub, going live on October 1, I 
have grave concerns from a cybersecurity standpoint. 

We have assembled a panel of witnesses uniquely qualified in 
commenting on the scope and readiness of the mounting task at 
hand. I thank them for participating, and I look forward to hearing 
their testimonies. 

Let me conclude my comments by saying that this is not a hear- 
ing that goes into the policy implications behind the Affordable 
Care Act. It is not our purpose here today to try to raise that issue. 

But we are a committee that is focused and focused importantly 
on the security of American citizens, and one of the highest issues 
we currently see is an appreciation for personal privacy and private 
identifying information and what the misuse of that information 
cannot just mean directly to a person but to a person who then has 
to go about trying to fix that in their lives. 

In the best of times, we have seen dramatic growth in those who 
have used and developed new and innovative ways to steal that in- 
formation to use it in the markets in a variety of different capac- 
ities. 

So as we have dealt with increasing sophistication in those who 
would try to steal them and manipulate this information, we also 
recognize that we are in a unique time as well. 
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A time in which cyher information is not just there to he manipu- 
lated or used or stolen by those if it is not appropriately secure, but 
we face a time in which there are very sophisticated actors, includ- 
ing state actors who may wish to do us harm. 

A database that it is the core of one of the central expenditures 
of American resources can certainly, foreseeably be a target. The 
extent to which we are ready not just for the kinds of challenges 
that are facing security databases in the normal course of business 
but the preparation readiness to stand up to what may be a sophis- 
ticated attack and one that seeks to do us damage are all relevant 
considerations for us at this important point. 

These are some of the issues I want to ask about the readiness 
before we get ready to go, and I appreciate those of you who are 
here today who are ready to testify on your opinions and knowledge 
with regard to the readiness of this database. 

Now the Chairman now recognizes the Ranking Minority Mem- 
ber of the subcommittee, the gentlelady from New York, Ms. 
Clarke, for any statement that she may have. 

Ms. Clarke. I thank you, Mr. Chairman, for holding a second 
hearing on one of the most important features of the Affordable 
Care Act, and I welcome our witnesses here today. 

When President Obama signed the Affordable Care Act in the 
East Room of the White House on March 23, 2010, the Federal 
Government started planning to operate health care insurance 
market places, also called exchanges, and assist States that opted 
to run their own marketplaces. 

All of this involves developing a complex computer web-based 
service that would allow millions of Americans access to affordable 
health care in the most efficient and safe way possible. 

This is a large undertaking and involves a complicated inter- 
agency IT and web-based software effort commonly known as the 
Federal Data Services Hub based at the Department of Health and 
Human Services Center for Medicare, Medicaid Services, or CMS. 

What is important about this effort is that we must create, col- 
lect, and use or disclose personal information of millions of our citi- 
zens in a responsible and confidential way. 

The health care marketplaces must establish and implement 
cyber and personal information protection standards that are con- 
sistent with specific principles outlined in our current health care 
law. 

Those principles which are comparable to the ones upon which 
the HIPAA, the Health Insurance Portability and Accountability 
Act, provide and they include No. 1, providing a right of access to 
one’s personally identifying information commonly referred to as 
PII, a right to have erroneous information corrected, and No. 3, 
providing accountability through appropriate monitoring and re- 
porting of information breaches. 

Exchanges must also establish and implement reasonable oper- 
ational, technical, administrative, and physical safeguards to en- 
sure the confidentiality, integrity, and availability of PII and to 
prevent unauthorized or inappropriate access, use, or disclosure of 
PII. 
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In addition, health exchanges must monitor, periodically access, 
and update their security controls and must develop and use secure 
electronic interfaces when sharing PII electronically. 

CMS has completed its technical design and huild of Federal 
Data Services Hub and has established an inter-agency security 
framework as well as the protocols for connectivity. 

Importantly, in a letter to Ranking Member Thompson this 
morning, HHS has revealed that as of Friday, September 6, they 
had taken the necessary steps to obtain security authorization for 
the data hub and the CMS chief information officer has assigned 
to the security authorization. 

This is an important milestone and it shows that CMS will be 
ready to operate the hub securely on October 1. 

This will provide a common, secure connection for marketplaces 
to seek information from Federal databases necessary to verify eli- 
gibility, excuse me, for the millions of Americans who can begin to 
shop for quality, affordable health care coverage in just a few 
weeks. 

The hub has several layers of protection to mitigate information 
security risks. For example, marketplace systems will employ a 
continuous monitoring model that will utilize sensors and active 
event monitoring to quickly identify and take action. 

Let us remember, it is simple. The Data Services Hub will trans- 
fer data and be used to verify applicant information data for eligi- 
bility. The Data Services Hub is not a database. It will not function 
as a database. It will not contain health care records. 

The hub will send queries and responses among given market- 
places and data services to determine eligibility. The Data Services 
Hub will not determine consumer eligibility nor will it determine 
which health plans are available in the marketplaces. 

CMS and its vendors have told us and testified before this sub- 
committee and Energy and Commerce subcommittees that delivery 
milestones for the Data Services Hub completion are being met on 
time and they expect that the Data Services Hub will be ready as 
planned by October 1. 

I am looking forward to the testimony of the HHS Office of the 
Inspector General to learn more about their important role in the 
implementation of the Federal data hub. 

Also, we are going to hear testimony today from the director of 
the State Medicaid Directors Association whose members have 
been working on this effort from the ground up. 

I am eager to learn about the massive efforts of that State and 
the Federal Centers for Medicaid and Medicaid Services have made 
to stand up to this complex data hub. This is the kind of informa- 
tion we need to help us deliver health care to citizens who really 
need it. 

Mr. Chairman, I ask for unanimous consent to submit a copy of 
the letter received by Ranking Member Bennie Thompson. 

Mr. Meehan. Without objection, so ordered. 

[The information follows:] 
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Letter Submitted by Ranking Member Yvette D. Clarke 

Washington, DC, Sep. 10, 2013. 

The Honorable Bennie Thompson, 

Ranking Member, Committee on Homeland Security, U.S. House of Representatives, 
Washington, DC 20515. 

Dear Representative Thompson: Thank you for your inquiry related to privacy 
and security protections associated with the Data Services Hub (hub) and the status 
of our work to protect people and programs from cyber-attacks in this area. At the 
Department of Health and Human Services (HHS), we take very seriously our re- 
sponsibility to safeguard personal information in all of our programs, including in 
the Affordable Care Act Marketplace. Collectively, the tools, methods, policies, and 
procedures we have developed provide a safe and sound security framework to safe- 
guard consumer data, allowing eligible Americans to confidently and securely enroll 
in quality affordable health coverage starting on October 1, 2013. This framework 
is consistent with the framework that exists for all other HHS programs, such as 
Medicare, which Americans rely on every day. 

HHS’s Centers for Medicare & Medicaid Services (CMS) has a strong track record 
of preventing breaches involving the loss of personally identifiable information from 
cyber-attacks. This is due in large part to the establishment of an information secu- 
rity program with consistent risk management, security controls assessment, and 
security authorization processes for all enterprise systems. Our system and security 
protocols are grounded in statutes, guidelines and industry standards that ensure 
the security, privacy, and integrity of our systems and the data that flow through 
them. These protections include a series of statutes and amendments to these laws, 
such as the Privacy Act of 1974, the Computer Security Act of 1987 and the Federal 
Information Security Management Act (FISMA) of 2002, as well as various regula- 
tions and policies promulgated by HHS, the Office of Management and Budget, the 
Department of Homeland Security, and the National Institute of Standards and 
Technology (NIST). 

In accordance with these provisions, CMS has developed the hub, a routing tool 
that helps Marketplaces provide accurate and timely eligibility determinations. It is 
important to point out that the hub will not retain or store Personally Identifiable 
Information. Rather, the hub is a routing system that CMS is using to verify data 
against information contained in already existing, secure, and trusted Federal and 
State databases. CMS will have security and privacy agreements with all Federal 
agencies and States with which we are validating data. These include the Social Se- 
curity Administration, the Internal Revenue Service, the Department of Homeland 
Security, the Department of Veterans Affairs, Medicare, TRICARE, the Peace Corps, 
and the Office of Personnel Management. 

The hub is designed to comply with the comprehensive information security 
standards developed by NIST in support of FISMA. NIST has emerged as the gold 
standard for information security standards and guidelines that all Federal agencies 
follow. Several layers of protection will be in place to help protect against potential 
damage from attackers and mitigate risks. For example, the hub will employ a con- 
tinuous monitoring model that will utilize sensors and active event monitoring to 
quickly identify and take action against irregular behavior and unauthorized system 
changes that could indicate potential attacks. Automated methods will ensure that 
system administrators have access to only the parts of the system that are nec- 
essary to perform their jobs. These protocols, combined with continuous monitoring, 
will alert system security personnel when any system administrator attempts to 
perform functions or access data for which they are not authorized or are incon- 
sistent with their job functions. 

Should security incidents occur, an Incident Response capability built on the 
model developed by NIST would be activated. The Incident Response function allows 
for the tracking, investigation, and reporting of incidents so that HHS may quickly 
identify security incidents and ensure that the relevant law enforcement authorities, 
such as the HHS Office of Inspector General Cyber Crimes Unit, are notified for 
purposes of possible criminal investigation. 

Before Marketplace systems are allowed to operate and begin serving consumers 
across the country, they must comply with the rigorous standards that we apply to 
all Federal operational systems and CMS’s Chief Information Officer must authorize 
the systems to begin operation. I am pleased to report that the hub completed its 
independent Security Controls Assessment on August 23, 2013 and was authorized 
to operate on September 6, 2013. The completion of this testing confirms that the 
hub comports with the stringent standards discussed above and that HHS has im- 
plemented the appropriate procedures and safeguards necessary for the hub to oper- 
ate securely on October 1. 
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The privacy and security of consumer data are a top priority for HHS and our 
Federal, State, and private partners. We understand that our responsibility to safe- 
guard our systems is an on-going process, and that we must remain vigilant 
throughout their operations to anticipate and protect against evolving data security 
threats. Accordingly, we have implemented privacy and security measures for the 
Marketplace systems that employ measures similar to those in the private sector 
and we will continually validate through a variety of methods. 

In closing, we have produced an extremely strong enterprise information security 
program by implementing state-of-the-art controls and business processes based on 
statutory requirements, agency and organizational commitments, best practices, and 
the experience and knowledge of our subject matter team members. This has re- 
sulted in the development, testing, and readiness of the hub to operate on October 
1 to serve consumers across the country in a secure and efficient manner. We hope 
this information is responsive to your inquiry. Thank you for your interest in and 
leadership on this important issue. 

Sincerely, 


Marilyn Tavenner. 


Ms. Clarke. Thank you, Mr. Chairman, and I yield back. 
[The statement of Ranking Member Clarke follows:] 


Statement of Ranking Member Yvette D. Clarke 


September 11, 2013 

Thank you Mr. Chairman for holding a second hearing on one of the most impor- 
tant features of the Affordable Care Act. 

When President Obama signed the Affordable Care Act in the East Room of the 
White House on March 23, 2010, the Federal Government started planning to oper- 
ate health care insurance marketplaces, also called exchanges, and assist States 
that opted to run their own marketplaces. 

All of this involves developing a complex computer web-based service that would 
allow millions of Americans access to affordable health care, in the most efficient 
and safe way possible. 

This is a large undertaking, and involves a complicated inter-agency IT and web- 
based software effort, commonly known as a “Federal Data Services Hub” based at 
The Department of Health and Human Services, Center for Medicare and Medicaid 
Services, or CMS. 

What is important about this effort is that we must create, collect, and use or dis- 
close personal information of millions of our citizens in a responsible and confiden- 
tial way. 

The health care marketplaces must establish and implement cyber and personal 
information protection standards that are consistent with specific principles outlined 
in our current health care law. 

Those principles, which are comparable to the ones upon which the HIPAA, the 
Health Insurance Portability and Accountability Act provide, and they include: 

• Providing a right of access to one’s Personally Identifying Information, com- 
monly referred to as PII; 

• A right to have erroneous information corrected; 

• And providing accountability through appropriate monitoring and reporting of 
information breaches. 

Exchanges must also establish and implement reasonable operational, technical, 
administrative, and physical safeguards to ensure the confidentiality, integrity, and 
availability of PH, and to prevent unauthorized or inappropriate access, use, or dis- 
closure of PII. 

In addition. Health Exchanges must monitor, periodically access, and update their 
security controls, and must develop and use secure electronic interfaces when shar- 
ing PII electronically. 

CMS has completed its technical design, and build of Federal Data Services Hub 
and has established an interagency security framework as well as the protocols for 
connectivity. 

Importantly, in a letter to Ranking Member Thompson this morning, HHS has re- 
vealed that as of Friday, September 6, they had taken the necessary steps to obtain 
security authorization for the data hub, and the CMS Chief Information Officer has 
signed the security authorization. This is an important milestone, and it shows that 
CMS will be ready to operate the hub securely on October 1. 
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This will provide a common, secure connection for Marketplaces to seek informa- 
tion from Federal databases necessary to verify eligibly for the millions of Ameri- 
cans can begin to shop for quality, affordable health coverage in just a few weeks. 

The hub has several layers of protection to mitigate information security risk. For 
example. Marketplace systems will employ a continuous monitoring model that will 
utilize sensors and active event monitoring to quickly identify and take action. 

Let us remember, it’s simple . . . the Data Services Hub will transfer data and 
be used to verify applicant information data for eligibility. The Data Services Hub 
is NOT a database, it will not function as a database, and it will not contain health 
care records. 

The hub will send queries and responses among given marketplaces and data 
sources to determine eligibility. The Data Services Hub will not determine consumer 
eligibility, nor will it determine which health plans are available in the market- 
places. 

CMS and its vendors have told us, and testified before this subcommittee and En- 
ergy and Commerce subcommittees, that delivery milestones for the Data Services 
Hub completion are being met on time, and they expect the Data Services Hub will 
be ready as planned by October 1. 

I am looking forward to the testimony of the HHS Office of Inspector General to 
learn more about their important role in the implementation of the Federal Data 
Hub. 

Also, we are going to hear testimony today from the director of the State Medicaid 
Directors Association, whose members have been working on this effort from the 
ground up. 

I am eager to learn about the massive efforts that States, and the Federal Centers 
for Medicare and Medicaid Services, have made to stand up this complex data hub. 

This is the kind of information we need to help us deliver health care to citizens 
who really need it. 

Mr. Chairman, I yield back. 

Mr. Meehan. Okay. I thank the gentlelady. 

Other Members of the committee are reminded that opening 
statements may be submitted for the record. 

[The statement of Ranking Member Thompson follows:] 

Statement of Ranking Member Bennie G. Thompson 
September 11, 2013 

Thank you, Mr. Chairman, for holding a second hearing on one of the most impor- 
tant features of the Affordable Care Act. I also want to thank the witnesses for ap- 
pearing here today. 

On March 23, 2010, President Obama signed the Affordable Care Act into law. 
I should note tbat today, the Majority will bring their 41st vote to undermine and 
repeal the Affordable Care Act to the Floor of the House. The ACA requires the de- 
velopment of a computer-based service that will allow millions of Americans the 
ability to purchase affordable health care policies for their families, in the most effi- 
cient and safest way possible. This undertaking requires the development of a “Fed- 
eral Data Services Hub.” 

My colleagues on the other side of the aisle have used the development of this 
hub to promote uncertainty and fear about the ability of these computer systems 
to keep the personal and health information of millions of Americans safe and se- 
cure. I appreciate their concern. It seems that last year, a poll conducted by the Na- 
tional Foundation for Credit Counseling found that 64% of Americans fear identity 
theft. Given the widespread fear of identity theft, the American public should have 
the facts on whether there is any danger in personal and health information leaking 
out or being hacked from this system. 

This kind of assurance is extremely important if we want millions of people who 
do not have health care to feel that they can trust this system and use it to get 
the care they need and the policies they can afford. We all know that sowing fear 
in a new system is one way to discourage participation and drive down enrollment 
figures. I am sure no one would want that outcome. So here are the facts that peo- 
ple need to know to have confidence in this system: 

(1) The use of computers to obtain, verify, and transmit information in Govern- 
ment programs is nothing new; 

(2) The information contained on your driver’s license and Social Security card 
and any other piece of Government-issued identification you have is housed 
somewhere on a Government database; 
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(3) The Federal Government and the States already use and exchange personal 
data to determine eligibility for various programs; 

(4) Leaks involving personal data hy State and local governments are a rare oc- 
currence. Information leaks involving personal data held by private companies, 
such as banks, credit card issuers, and retail stores, are common; and, 

(5) As of Friday, September 6, 2013, HHS/CMS had taken the necessary steps 
to obtain a security authorization for this system. 

Thus, while I appreciate the Majority’s concern about the Government’s ability to 
safeguard this information, it appears to be misplaced. 

Thank you, Mr. Chairman, and I yield back. 

Mr. Meehan. I am going to take a moment to introduce the dis- 
tinguished panel that we have before us, and we are appreciating 
having such a distinguished panel on this topic. 

First, let me introduce Mr. Michael Astrue who formally served 
as the commissioner of Social Security from 2007 until January 
2013 as well as the general counsel for the Department of Health 
and Human Services from 1989 until 1992. 

As commissioner of Social Security, he focused his efforts on re- 
ducing the disability backlog and improving services to the public 
particularly through electronic services. 

He spearheaded highly-successfnl new systems for fast-tracking 
disability claims, created National hearing centers to reduce back- 
logs, and expanded and overhauled the agency’s suite of electronic 
services to make them simpler, faster, and more user-friendly. 

Dr. Stephen Parente is the Minnesota Insurance Industry Pro- 
fessor of Health Finance and Insurance in the Carlson School of 
Management at the University of Minnesota. He specializes in 
health economics, health insurance, medical technology evaluation 
in health information technology. 

He is acknowledged as a National expert on using administrative 
databases particularly Medicare and health insurer data for health 
policy research and has served as a consultant to several of the 
largest health care organizations in the country. 

Ms. Kay Daly is the assistant inspector general for audit services 
at the United States Department of Health and Human Services. 

Ms. Daly’s responsibilities include overseeing the chief financial 
officer financial statement audits at HHS, reporting on compliance 
with improper payment acts, providing oversight of over 300 grant 
programs as ministered by HHS, and overseeing audits related to 
the implementation of health care reform. 

Prior to joining HHS OIG, Ms. Daly worked at the Government 
Accountability Office for 23 years. 

Finally, we are joined by Mr. Matt Sale. He is the executive di- 
rector of the National Association of Medicaid Directors since Feb- 
ruary 2011. 

This is a newly-formed association. It represents all 56 of the Na- 
tion’s State and territorial Medicaid directors and provides them 
with a strong unified voice in National discussions as well as a 
locus for technical assistance and best practices. 

Mr. Salo formally spent 12 years at the National Governors Asso- 
ciation where he worked on the Governor’s Health Care and 
Human Services agendas and spent 5 years prior to that as a 
health policy analyst working for the State Medicaid directors. 

There will be full written statements of the witnesses which will 
appear in the record. 
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Now I have got to sort of make a judgment, and I see that we 
have a little less than 8 minutes to go on the existing vote respon- 
sibilities that we have. Having teed this very, very impressive 
panel up, I am sort of hesitant to see a rain delay. 

So what I think I am going to recommend to our panel is that 
we will vote as quickly as we can, and I will make the representa- 
tion that I will hustle back as quickly as I can, gavel in as soon 
as I get here, and I know my colleagues will do their best as well 
after last vote. 

I think it is probably better to allow the panelists to testify in 
order than to start the process, break, and start again. 

So with your forgiveness, so to speak, we thank you for under- 
standing the nature of the world in which we work and we look for- 
ward upon our return to your testimony in engaging in, in, in our 
dialogue. 

So, at the moment, the Chairman, the committee stands in re- 
cess. 

Thank you. 

[Recess.] 

Mr. Meehan. The Committee and the Homeland Security, Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies will return to order. 

I thank you once again for your indulgence. I know my colleagues 
are working their way back as quickly as possible, but we thank — 
we appreciate your indulgence, and now we would like to create the 
opportunity for you to begin your testimony. 

As I have had said before, the full written statements of the wit- 
nesses will appear in the record. So I now look forward to the 
verbal testimony of each of our witnesses on the issue that we are 
here to meet with today. 

So the Chairman now recognizes Mr. Astrue for his testimony. 
Thank you. 

Mr. Astrue, yes, you may want to touch — thank you. 

STATEMENT OF MICHAEL J. ASTRUE, FORMER SOCIAL SECU- 
RITY COMMISSIONER, FORMER U.S. DEPARTMENT OF 

HEALTH AND HUMAN SERVICES GENERAL COUNSEL 

Mr. Astrue. Out of practice, sorry. 

Chairman Meehan, Ranking Member Clarke, and Members of 
the subcommittee, no day is more fitting than 9/11 for us to cherish 
and safeguard our liberties as Americans. Thank you for inviting 
me here today. 

I testify only as a former official. A quarter-century ago, I briefly 
was the White House’s Privacy Act officer. I then served as general 
counsel of the U.S. Department of Health & Human Services and 
as commissioner of Social Security for Presidents Bush and Obama. 
As commissioner, I also served as a trustee of the Medicare Trust 
Fund. 

Some history helps us understand why we needed to have this 
hearing. Infighting and paralysis marked the first year of the effort 
to construct the Federal health exchanges, including what is called 
the “data hub.” 

Administrator Berwick claimed that he could not find the money 
to build the system, and he criticized Congress for not specifically 
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appropriating money for it. He also criticized Secretary Sebelius for 
refusing to release money from the ACA discretionary fund. 

Berwick pressed other agencies to pay for the exchanges, even 
though such payments would have violated appropriations restric- 
tions. When development started in earnest after Berwick’s depar- 
ture, CMS struggled to meet its deadlines. 

CMS’ failures and delays have been common knowledge within 
the administration, yet HHS was never candid with the States 
about these problems as they were choosing either to build their 
own exchanges or to use the CMS exchanges. 

From 2007-2013, I led the overhaul and expansion of the Social 
Security’s suite of electronic services. I personally reviewed every 
major system before beta testing, and extensive beta testing often 
revealed the need for delays to make changes. We involved not only 
random focus groups, but also advocates for various people, such as 
victims of domestic violence. 

We need to be vigilant about the privacy of the data stored in 
these types of systems, which I believe are not being adequately 
protected by CMS. 

The defense offered by the HHS inspector general, the Center for 
Democracy & Technology, and others, that the CMS systems are 
just a “routing tool,” not a repository, is either untrue or problem- 
atic. 

CMS needs to store data to create forensic trails necessary to 
track security breaches. Failure to establish forensic trails would 
create a serious issue under the Federal Information Security Man- 
agement Act of 2002 and would create a serious operational vulner- 
ability. 

We also need to know whether unauthorized changes of insur- 
ance could leave Americans unexpectedly uninsured. We need to 
know how CMS will define and respond to breaches. 

I know how important that is because I suffered through the Of- 
fice of Personal Mangement’s inept response when my personal 
Federal financial records were breached 2 years ago. We need to 
know why many of the people who will deal with the public are 
just being hired now and being hired without background checks. 

A rigorous authentication process may result in as many as 2 to 
5 million people who will need to interact with CMS contractors 
when they fail to access the system. Is CMS ready for that work- 
load or are they going to sacrifice service or authentication? 

Greater transparency about these issues would have improved 
the quality of the exchanges and would have increased public con- 
fidence in the system, which is sorely lacking today. 

Both SSA and the IRS formally appealed to 0MB that the ex- 
changes would violate the Privacy Act, violations which potentially 
carry criminal penalties. 

0MB eventually denied that appeal, but in my view HHS will be 
violating the Privacy Act on a massive scale by allowing people to 
make insurance decisions for other adults without their written 
consent. This feature of the system may also allow domestic abus- 
ers to track down their victims. 

An August 2, 2013 inspector general report revealed that the 
CMS schedule had slipped so badly that mandatory security find- 
ings were scheduled for the day before implementation. 
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Despite HHS’ letter this morning, yesterday’s testimony before 
the House Energy and Commerce Committee indicate that many 
States will be unready for October 1, and that CMS may be un- 
ready given that the contractors were still citing October 1 as their 
date of readiness. 

The main reason we have so little information about the status 
of the exchanges is the failure of the office of the HHS inspector 
general. Relying only on interviews and documents, its August 2, 
2013 report on the exchanges contained less than 5 pages of anal- 
ysis; its total work product for this subject for the year. 

Moreover, the inspector general did not inspect the beta version 
and meekly noted that CMS withheld security documents. He ig- 
nored the vulnerabilities in the system that transmits, largely 
through the so-called cloud, sensitive personal information to CMS 
contractors and private insurers. 

He ignored the privacy issues, the security issues, and the issues 
associated with poorly screened and trained contractors. He did not 
assess usability, performance measures, governance, or contingency 
plans. With HHS’ greatly expanded role in health care, Americans 
need an inspector general who is a watchdog, not a lapdog. 

Congress is bitterly divided about the Affordable Care Act, but 
the topics for my presentation should be common ground. Whether 
or not you support an individual mandate, you can embrace the 
principle that no one should be forced to sacrifice privacy in order 
to comply with that mandate. 

To the best of my knowledge, work on systems that would comply 
with the Privacy Act ended in early 2013. A system respecting the 
Privacy Act would probably take an additional 6 to 18 months to 
develop. 

President Obama has delayed other parts of the Affordable Care 
Act. Vulnerable Americans without lobbyists deserve the same re- 
spect and deference given to the business community. 

You should support a moratorium on the exchanges until HHS 
secrecy ends, and until we know whether uninsured Americans will 
be forced to pay, along with their premiums, the high price of their 
privacy, and the safety of their personal data. 

Thank you. 

[The prepared statement of Mr. Astrue follows:] 

Prepared Statement of Michael J. Astrue 
September 11, 2013 

Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee, 
no day is more fitting than 9/11 for us to cherish and safeguard our liberties as 
Americans. 

I testify today only as a former official. A quarter-century ago, I briefly was the 
White House’s Privacy Act officer. I then served as general counsel of the U.S. De- 
partment of Health & Human Services and as commissioner of Social Security for 
Presidents Bush and Obama. As commissioner, I also served as a trustee of the 
Medicare Trust Fund. 

Some history helps us understand why we needed to have this hearing. Infighting 
and paralysis marked the first year of the effort to construct the Federal health ex- 
changes, including what is called the “data hub.” Administrator Berwick claimed 
that he could not find the money to build the system, and he criticized Congress 
for not specifically appropriating money for it. He also criticized Secretary Sebelius 
for refusing to release money from the ACA discretionary fund. 

Berwick pressed other agencies to pay for the exchange, even though such pay- 
ments would violate appropriations restrictions. When development started in ear- 
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nest after Berwick’s departure, CMS struggled to meet its deadline. CMS’s failures 
and delays have been common knowledge within the administration, yet HHS was 
never candid with States as they were choosing either to build their own exchanges 
or to use the CMS exchanges. 

From 2007-2013, I led the overhaul and expansion of Social Security’s suite of 
electronic services. I personally reviewed every major system before beta testing, 
and extensive beta testing often revealed the need for delays to make changes. We 
involved not only random focus groups, but also advocates for various people, such 
as victims of domestic violence. 

We need to be very concerned about protecting the privacy of the data stored in 
these types of systems, which I believe are not adequately protected. The defense 
offered by the Center for Democracy & Technology and others — that the CMS sys- 
tems are just a “routing tool,” not a repository — is either untrue or problematic. 
CMS needs to store data to create forensic trails necessary to track security 
breaches; failure to establish forensic trails would create a serious issue under the 
Federal Information Security Management Act of 2002. 

We need to know whether unauthorized changes of insurance could leave Ameri- 
cans unexpectedly uninsured. We need to know how CMS will define and respond 
to breaches — I know how important that is because I suffered through OPM’s inept 
response when my Federal financial records were breached 2 years ago. We need 
to know why many of the people who will deal with the public are just being hired 
now, and being hired without background checks. A rigorous authentication process 
may result in as many as 2 million people who will need to interact with CMS con- 
tractors when they fail to access the system — is CMS ready for that workload or are 
they going to sacrifice service or authentication? Greater transparency about these 
issues would improve the quality of the exchanges — and increase public confidence 
in the system. 

Both SSA and the IRS formally appealed to 0MB that the exchanges would vio- 
late the Privacy Act, violations which potentially carry criminal penalties. 0MB 
eventually denied that appeal, but in my view HHS will be violating the Privacy 
Act on a massive scale by allowing people to make insurance decisions for other 
adult family members without their written consent. This feature of the system may 
well allow domestic abusers to track down their victims. 

An August 2, 2013 inspector general report revealed that the CMS schedule has 
slipped so badly that mandatory security findings are scheduled for the day before 
implementation. With no room for adequate beta testing and revisions, HHS’s claim 
that it will be ready to make security findings on its September 30 deadline is a 
fiction designed to preserve the larger fiction that the exchanges will be ready for 
uninsured Americans. 

Before I conclude, I urge President Obama and Congress to scrutinize the per- 
formance of HHS Inspector General Levinson. Relying only on interviews and docu- 
ments, his August 2, 2013 report on the exchanges contained less than 5 pages of 
analysis. His staff did not even try to use the beta version of the system. 

HHS cannot have it both ways. If the exchanges can function on October 1, by 
July of this year there must have been a beta version. However, the inspector gen- 
eral did not inspect the beta version, and meekly noted that CMS withheld security 
documents. He ignored the vulnerabilities of a system that transmits, largely 
through the so-called “cloud,” sensitive personal information to CMS contractors and 
private insurers. He ignored the privacy issues, the security issues, and the issues 
associated with poorly screened and trained contractors. He did not assess usability, 
performance measures, governance, or contingency plans. With HHS’s expanded role 
in health care, Americans need an inspector general who is a watchdog, not a 
lapdog. 

Congress is bitterly divided about the Affordable Care Act, but there should be 
common ground. Whether or not you support an individual mandate, you can em- 
brace the principle that no one should be forced to sacrifice privacy in order to com- 
ply with that mandate. To the best of my knowledge, work on systems that would 
comply with the Privacy Act stopped in early 2013 after 0MB brushed aside the Pri- 
vacy Act appeals of SSA and the IRS. A system respecting the Privacy Act would 
probably take an additional 6-18 months to develop. 

President Obama has delayed other parts of the Affordable Care Act. Vulnerable 
Americans without lobbyists deserve the same respect and deference given to the 
business community. You should support a moratorium on the exchanges until HHS 
secrecy ends, and until we know whether uninsured Americans, will be forced to 
pay — along with their premiums — the high price of their privacy. 

Thank you. 

Mr. Meehan. Thank you, Mr. Astrue. 
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The Chairman now recognizes Dr. Parente for his testimony. 

STATEMENT OF STEPHEN T. PARENTE, PH.D., MINNESOTA IN- 
SURANCE INDUSTRY CHAIR OF HEALTH FINANCE, DIREC- 
TOR, MEDICAL INDUSTRY LEADERSHIP INSTITUTE, PRO- 
FESSOR, DEPARTMENT OF FINANCE, CARLSON SCHOOL OF 

MANAGEMENT, UNIVERSITY OF MINNESOTA 

Mr. Parente. Thank you, Chairman Meehan, Ranking Member 
Clarke, and Members of the committee, for this opportunity to 
speak to you today. 

My name is Steve Parente. I hold the Minnesota Insurance In- 
dustry Chair of Health Finance at the University of Minnesota. 
There, I serve as the professor in the Finance Department at the 
Carlson School and director of the Medical Industry Leadership In- 
stitute growing MBA program. 

As I just stated, my expertise are health insurance, health infor- 
mation technology, and a medical technology evaluation. I have an 
appointment at Johns Hopkins University as a faculty member. 

In the summer of 2011, I and my colleague from the Manhattan 
Institute, Paul Howard, wrote about implementation of the Afford- 
able Care Act and security concerns regarding the Health Insur- 
ance Exchange Hub that is scheduled to be fully-operational in less 
than 20 days. 

This essay received little attention at that time. On December 7, 
2012, USA Today printed an op-ed written by Dr. Howard and my- 
self that described the same issues as we did a year before. The 
2012 op-ed received far greater attention Nationally and particu- 
larly from the administration. 

The principal concern I sought to examine was the Government’s 
capability to rapidly and securely combine information at a per- 
sonal level from multiple Federal agencies in order to make eligi- 
bility determinations for Americans to purchase health insurance 
on a State or Federal insurance exchange. 

I have stated and continue to posit that the combination of such 
data would be the largest personal data integration Government 
project in the history of this Republic with up to 300 million Amer- 
ican citizens’ records needing to be combined from several Federal 
agencies. 

The Federal agencies involved in this integration are the Depart- 
ment of Health and Human Services to facilitate the data and oper- 
ating parameters of the Federally-facilitated exchange and the 
State-based exchanges as well as insure that the applicants are not 
already eligible for Medicare benefits; the Social Security Adminis- 
tration to verify Social Security numbers, death indicator status, 
disability status under Title II of the Social Security Act, prisoner 
data or incarceration status, annual and monthly Social Security 
benefit information, and a confirmation to claim of citizenship is 
consistent with Social Security records; the Department of Treas- 
ury to verify income as well as transfer subsidies as necessary to 
purchase health insurance; the Office of Personnel Management, 
Peace Corps, and Department of Defense and Veterans Administra- 
tion to make sure that applicants don’t have access to health care 
coverage from other alternative sources; and finally, the Depart- 
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ment of Homeland Security to verify whether the individual is in- 
deed legally present in the United States. 

My expressed concern is that it is not clear how the data hub 
will operate. Ideally, the hub should function as a switch that 
routes information but does not retain the personal identifying in- 
formation it is routing. 

Major credit card purchases today operate this way where a re- 
tailer at the point of purchase uses your credit card to link a vari- 
ety of data sources about you to make sure you are not a credit risk 
and then clears you to purchase for a large screen TV for the holi- 
days. 

This approach minimizes privacy risks and provides good data 
security, and the Federal data hub should operate this way, cou- 
pled to either a State or Federal insurance exchange as well as to 
the Social Security Administration, Treasury Department, Home- 
land Security, and Department of Justice, et cetera. 

Operating this would create a fire-and-forget data system that 
would instantaneously link to an abstract piece of information and 
then delete it to prevent it from becoming a privacy concern. 

Major financial services firms have been providing these services 
for nearly 2 decades, and if there ever has been a privacy breach, 
it is not from a pure data switch. 

Now having said that about how one can provide reliable data 
protection, no one has said how this hub will actually operate to 
ensure that every precaution possible has been taken to avert pri- 
vacy breaches as well as safeguard against identity fraud. 

Greater transparency is needed as well as frank acknowledgment 
that the ACA’s posted deadlines should take second place to rea- 
sonable data privacy and security concerns. This isn’t a political 
point, it isn’t meant to impinge on anyone’s motives inside of HHS 
or the administration. 

The fact that only a handful of individuals know truly how this 
will operate may preserve some security but it is operating as — not 
operating as planned, it could also be viewed as a failure with the 
execution for full transparency and provision of law that could — 
that had 3 years to implement but did not get the job done. 

HHS’s job is to implement this law and as much as some citizens 
may dislike an assortment of the law’s underlying provisions, HHS’ 
staff are doing exactly what they need to get it done under the con- 
straints they can’t control. 

They are doing so in a politically-charged environment and 
crashing headlong into constraints of scarce human capital, com- 
plex regulatory environments, and of a massive IT project with lit- 
erally no technical precedent. 

I believe Congress has a legitimate oversight responsibility to en- 
sure that whatever your feelings about the ACA, the final product 
is trusted, functional, and secure for all Americans. Congress 
should take that responsibility seriously and the administration 
should help them execute that responsibility. 

In closing, I hope my efforts to bring transparency to operational 
parameters of the hub only strengthen its operation. Failure to 
build a secure hub could bring significant damage to the privacy 
and security of Federal data systems and cause irreparable harm 
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to Americans whose personal information would be lost to fraud 
and identity theft. This must not be allowed to occur. 

Thank you for this opportunity to be heard today. I welcome your 
questions. 

[The prepared statement of Mr. Parente follows:] 

Prepared Statement of Stephen T. Parents 
September 11, 2013 

Thank you, Chairman Meehan, Ranking Member Clarke, and Members of the 
committee, for this opportunity to speak to you today. 

My name is Steve Parente. I hold the Minnesota Insurance Industry Chair in 
Health Finance at the University of Minnesota. There, I serve as professor in the 
Finance Department at the Carlson School of Management and director of the Med- 
ical Industry Leadership Institute, a growing MBA program. My areas of expertise 
are health insurance, health information technology, and medical technology evalua- 
tion. I also have an appointment at the Johns Hopkins University in Baltimore, 
Maryland. 

In summer 2011, I and my colleague from the Manhattan Institute Paul Howard 
wrote about implementation of the Affordable Care Act (ACA) and security concerns 
regarding the Health Insurance Exchange Hub that is scheduled to be fully oper- 
ational in less than 20 days. This essay received little attention at the time. On De- 
cember 7, 2012 USA Today printed an op-ed on written by Dr. Howard and myself 
that described the same issues as we did a year before. The 2012 op-ed received far 
greater attention Nationally and in particular from the administration. 

The principal concern I sought to examine was the Government’s capability to 
rapidly and securely combine information at a personal level from five Federal agen- 
cies in order for someone to purchase health insurance on a State or Federal ex- 
change. I have stated and continue to posit that the combination of such data would 
constitute the largest personal data integration Government project in the history 
of the Republic, with up to 300 million American citizen records needing to be com- 
bined from five Federal agencies. 

The five agencies involved in this integration are: The Department of Health and 
Human Services, to facilitate the data and operating parameters of the exchanges; 
the Social Security Administration, to verify if the person to be insured is indeed 
living; the Department of Treasury, to verify income level, as well as transfer sub- 
sidies as necessary to purchase health insurance; the Department of Justice, to 
verify that the insured is not incarcerated; and finally, the Department of Homeland 
Security, to verify the citizenship of the individual. 

My expressed concern is that it’s not clear exactly how the data hub will operate. 
Ideally, the hub should function as a switch that routes information but does not 
retain the person-identifying information it is routing. Major credit card purchases 
today operate this way: Where a retail vendor, at the point of purchase, uses your 
credit card to link a variety of data about you to make sure you are not a credit 
risk and then clears you for purchase of your 70" LCD TV for the holidays. This 
approach minimizes privacy risks and provides good data security. 

'The Federal data hub should operate this way, coupled to either a State or Fed- 
eral insurance exchange as well as to the Social Security Administration, Treasury 
Department, Homeland Security, and Department of Justice, et al. Operating this 
would create a fire-and-forget data system that would instantaneously link to an ab- 
stract piece of information and then delete it to prevent it from becoming a privacy 
concern. Major financial services firms have been providing these services for nearly 
2 decades, and if there ever has been a privacy breach, it is not from a pure data 
switch. 

Having said how you could provide reliable data privacy protection, no one has 
said how the data hub will actually operate to ensure no privacy breaches as well 
as safeguard against identity fraud. Greater transparency is needed, as well as a 
frank acknowledgement that the ACA’s posted deadlines should take second place 
to reasonable data concerns. This isn’t a political point, and isn’t meant to impinge 
upon anyone’s motives inside HHS. The fact that only a handful of individuals know 
truly how this will operate may preserve some security. Alternatively, if the hub 
does not operate as planned, it may also be viewed as a failure to plan and execute 
with full transparency a provision of the law the agencies had over 3 years to imple- 
ment. 

HHS’ job is to implement the law. As much as some citizens dislike an assortment 
of the law’s underlying provisions HHS staff are doing exactly what they are sup- 
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posed to do and facing constraints they can’t always control. They are doing so in 
a politically-charged environment — and crashing headlong into the constraints of 
scarce human capital, complex regulatory requirements, and a massive IT project 
with literally no technical precedent. 

I believe Congress has a legitimate oversight responsibility to ensure that — what- 
ever your feelings about the ACA — the final product is trusted, functional, and se- 
cure for all Americans. Congress should take that responsibility seriously — and the 
administration should help them execute that responsibility. 

In closing, I hope my efforts to bring transparency to operational parameters of 
the hub only strengthen its operation. Failure to build a secure hub could bring sig- 
nificant damage to the security of Federal data systems. This must not be allowed 
to occur. 

Thank for you this opportunity to be heard today. I welcome any questions. 

Mr. Meehan. Thank you, Dr. Parente. 

The Chairman now recognizes that the gentlelady from the IG’s 
office, Ms. Daly. 

STATEMENT OF KAY DALY, ASSISTANT INSPECTOR GENERAL, 

AUDIT SERVICES, U.S. DEPARTMENT OF HEALTH AND 

HUMAN SERVICES 

Ms. Daly. Thank you. Chairman Meehan. 

Thank you. Chairman Meehan, Ranking Member Clarke, and 
other distinguished Members of the subcommittee. I appreciate the 
opportunity to be here today to discuss the Office of Inspector Gen- 
erals’ review of the Centers for Medicare and Medicaid Services im- 
plementation of the Data Services Hub from a security perspective. 

My testimony today summarizes OIG’s observations about CMS’ 
progress in implementing security requirements of the hub includ- 
ing a recent update we received from CMS management on the sta- 
tus of the project. 

As you know, the hub plays a key role in providing important 
data for health insurance exchanges that are also called market- 
places, which are being established under the Affordable Care Act. 

The State-based exchanges will serve as the one-stop shop where 
individuals will get information about their health insurance op- 
tions, be assessed for eligibility, and enroll in the health plan of 
their choice. 

The hub is intended to support those exchanges by providing a 
single point where exchanges can access data from different 
sources including Federal agencies and their State partners. 

It is important to note that the hub does not store data, rather, 
it simply acts as a conduit for the exchanges to access data from 
where they are stored. 

In a report issued on August 2, 2013, we assessed the informa- 
tion technology security controls that CMS was implementing for 
the hub and the coordination between CMS and Federal and State 
agencies during the development of the hub. We did not review the 
functionality of the hub or privacy issues associated with it. 

At the time of our reviews, CMS was addressing and testing se- 
curity controls of the hub during the development process. Several 
critical tasks remained to be completed at the time, such as the 
final independent testing of the hub security controls, remediating 
the security vulnerabilities identified during testing, and obtaining 
the security authorization for the hub before opening the ex- 
changes. 
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CMS’ schedule at that time was to complete all of these tasks by 
October 1 in time for the expected initial open enrollment date for 
the health insurance exchanges. 

Our report described the time lines that CMS provided us for its 
system security plan, its risk assessment, and its security control 
assessment and security authorization decisions. 

In our report, we noted that between March and July, some key 
dates had moved back. These were internal target dates set by 
CMS for these milestones and not mandated deadlines. 

Subsequent to issuing our report, CMS has reported to us that 
it has made additional progress on these key security milestones. 
For example, since our review, CMS has reported to us that the se- 
curity authorization was completed on September 6, 2013. We have 
not independently verified CMS’ progress since completing our 
audit. 

Our review also observed that CMS was coordinating with its 
Federal and State partners during the development and testing of 
the hub in part to ensure that security measures were imple- 
mented by all stakeholders. 

CMS had developed a testing approach and test plans for the 
inter-agency testing aspect. At the time of our reviews, CMS was 
in the process of executing those test plans. 

In addition, CMS has developed security-related documents and 
security agreements regarding its Federal partners and informa- 
tion systems and networks. 

Federal policy does require agencies to develop interconnection 
security agreements for Federal information systems and networks 
that share or exchange information. 

Each of the Federal partners will provide information on their 
systems’ environments and the overall approach for safeguarding 
the confidentiality, integrity, and availability of shared data in sys- 
tems interfaces. 

Since our review, CMS has reported to us that all of these agree- 
ments are expected to be approved by September 27, 2013. 

In closing, I want to thank you for your interest in our work on 
this important subject and the opportunity to be part of this discus- 
sion. I would be very pleased to take any questions you might have. 

[The prepared statement of Ms. Daly follows:] 

Prepared Statement of Kay Daly 
September 11, 2013 

INTRODUCTION 

Good afternoon, Chairman Meehan, Ranking Member Clarke, and other distin- 
guished Members of the subcommittee. Thank you for the opportunity to testify 
about the Office of Inspector General’s (OIG) review of the Centers for Medicare & 
Medicaid Services’ (CMS) implementation of the Data Services Hub (hub) from a se- 
curity perspective, which we issued on August 2, 2013. ^ My testimony today sum- 
marizes OIG’s observations about CMS’s progress in implementing security require- 


1 Observations Noted During the OIG Review of CMS’s Implementation of the Health Insurance 
Exchange — Data Services Huh, A-18— 13— 30070, August 2013, available on-line at https:! ! 
oig.hhs.gov i oas i reports i region! j 181330070. asp. 
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ments of the hub during the period of our review.^ We assessed the information 
technology (IT) security controls that CMS was implementing for the hub, adequacy 
of the testing being performed during its development, and the coordination between 
CMS and Federal and State agencies during the development of the hub. We did 
not review the functionality of the hub or issues specific to the Privacy Act. 

At the time of our review, CMS was addressing and testing security controls for 
the hub during the development process. Several critical tasks remained to be com- 
pleted, such as the final independent testing of the security controls, remediating 
security vulnerabilities identified during testing, and obtaining the security author- 
ization decision for the hub before opening the exchanges. CMS’s schedule at that 
time was to complete all of these tasks by October 1, 2013, in time for the expected 
initial open enrollment date for health insurance exchanges. 

Our report described the time lines that CMS provided us for its system security 
plan, risk assessment, security control assessment, and security authorization deci- 
sions. In our report, we noted that between March and July, some key targets had 
been shifted to later dates. These were internal target dates set by CMS for these 
milestones and not mandated deadlines. Since issuing our report, CMS has reported 
to us that it has made additional progress on these key milestones, including obtain- 
ing its security authorization for the hub on September 6, 2013. We have not inde- 
pendently verified CMS’s progress since completing our audit. 

Following is a discussion of the hub’s role within the health insurance exchanges, 
the results of our review, and concluding observations. 

BACKGROUND 

States must establish health insurance exchanges by January 1, 2014,® and all 
health insurance exchanges must provide an initial open enrollment period begin- 
ning October 1, 2013 (45 CFR § 155.410). Health insurance exchanges, also known 
as Marketplaces, are State-based competitive marketplaces where individuals and 
small businesses will be able to purchase private health insurance.’^ Exchanges will 
serve as a one-stop shop where individuals will get information about their health 
insurance options, be assessed for eligibility (for, among other things, qualified 
health plans, premium teix credits, and cost-sharing reductions), and enroll in the 
health plan of their choice. 

The hub is intended to support the exchanges by providing a single point where 
exchanges may access data from different sources, primarily Federal agencies. It is 
important to note that the hub does not store data. Rather, it acts as a conduit for 
exchanges to access the data from where they are originally stored. Hub functions 
will include facilitating the access to data by exchanges, enabling verification of cov- 
erage eligibility, providing a central point for the Internal Revenue Service (IRS) 
when it asks for coverage information, providing data for oversight of the exchanges, 
providing data for paying insurers, and providing data for use in web portals for 
consumers. 

Effective security controls are necessary to protect the confidentiality, integrity, 
and availability of a system and its information. The National Institute of Stand- 
ards and Technology (NIST) developed information security standards and guide- 
lines, including minimum requirements for Federal information systems. CMS is re- 
quired to follow the NIST security standards and guidelines in securing the hub.® 

To determine CMS’s progress in implementing security requirements for the hub, 
OIG reviewed documentation, project schedules, and time lines; interviewed CMS 
employees and contractors and personnel from key Federal agencies working with 
CMS during development of the hub; and reviewed CMS’s security testing results. 


^We performed our fieldwork substantially from March through May 2013. We continued to 
receive updates from CMS through July 1, 2013, and its comments on our draft report are in- 
cluded in the final report. 

^The Patient Protection and Affordable Care Act § 1311(b) (Pub. L. No. 111-148) and the 
Health Care Reconciliation Act of 2010 (Pub. L. No. 111—152), collectively known as the Afford- 
able Care Act (ACA). 

'^A State may elect to operate its own State-based exchange or partner with the Federal Gov- 
ernment to operate a State partnership exchange. If a State elects not to operate an exchange, 
the Department of Health and Human Services will operate a Federally Facilitated Exchange. 
For the purposes of this report, “exchanges” refers to all three types of health insurance ex- 
changes. 

® NIST’s security standards assist Federal agencies in implementing the requirements under 
the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541, et seq. 
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RESULTS OF OIG’S REVIEW 

At the time of our review, CMS and its contractors were continuing to develop 
the hub and work with its Federal and State partners in testing the hub to ensure 
its readiness in time for the initial open enrollment to begin on October 1, 2013. 
The following observations provided the status of CMS’s implementation related to 
security controls, security testing, and coordination at the time of our fieldwork. 

Security Authorization 

According to NIST security standards, every Federal information system must ob- 
tain a security authorization before the system goes into production. The security 
authorization is obtained from a senior management official or executive with the 
authority to formally assume responsibility for operating an information system at 
an acceptable level of risk to agency operations. At CMS, the authorizing official is 
the Chief Information Officer (CIO). 

The security authorization package must include a system security plan, informa- 
tion security risk assessment, and security control assessment report. The security 
authorization package provides important information about risks of the information 
system, security controls necessary to mitigate those risks, and results of security 
control testing to ensure that the risks have been properly mitigated. Therefore, 
these documents must be completed before the security authorization decision can 
be made by the authorizing official. Under the NIST guidelines, the authorizing offi- 
cial may grant the security authorization with the knowledge that there are still 
risks that have not been fully addressed at the time of the authorization. 

At the time of our review, the security authorization decision by the CMS CIO 
was expected by September 30, 2013. Since our review, CMS has reported that the 
security authorization was obtained on September 6, 2013. 

System Security Plan and Information Security Risk Assessment 

CMS incorporated the elements required for adequate security into the draft hub 
system security plan. The plan: (1) Provides an overview of the security require- 
ments of the system, (2) describes the controls in place or planned (e.g., access con- 
trols, identification, and authentication) for meeting those requirements, and (3) de- 
lineates the responsibilities and behavior expected of all individuals who access the 
system. 

CMS was still drafting the information security risk assessment at the time of our 
review. For this reason, we could not assess CMS’s efforts to identify security con- 
trols and system risks and implement safeguards and controls to mitigate identified 
risks. Key aspects of the assessment should identify risks to the operations (includ- 
ing mission, functions, image, or reputation), agency assets, and individuals by de- 
termining the probability of occurrence, the resulting impact, and additional secu- 
rity controls that would mitigate this impact. 

At the time of our review, the CMS contractor did not expect to be able to provide 
finalized security documents, including the system security plan and risk assess- 
ment, to CMS for its review until July 15, 2013. Since our review, CMS reported 
to us that the documents were provided to CMS on July 16, 2013. 

Security Control Assessment and Testing 

At the time of our review, CMS and its contractors were performing security test- 
ing throughout the hub’s development, including vulnerability assessments of hub 
services. CMS was logging and tracking defects and vulnerabilities, as well as cor- 
recting and retesting hub services to ensure that vulnerabilities are remediated. 

A security control assessment of the hub must be performed by an independent 
testing organization before the security authorization is granted.® The assessment 
determines the extent to which the controls are implemented correctly, operating as 
intended, and producing the desired outcome of meeting the security requirements 
for the information system. The goal of the security control assessment test plan is 
to explain clearly the information the testing organization expects to obtain prior 
to the assessment, the areas that will be examined, and the activities expected to 
be performed during the assessment. 

According to CMS, the assessment was scheduled to be performed between Au^st 
5 and 16, 2013. Since the assessment was not completed at the time of our review, 
we could not determine whether vulnerabilities identified by the testing would be 
mitigated. Since our review, CMS has reported to us that the assessment was com- 
pleted on August 23, 2013. 


®NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to 
Federal Information Systems, Revision 1. 
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Adjustments to CMS Time Lines 

CMS provided us with time lines in March 2013 and May 2013 for its system se- 
curity plan, risk assessment, security control assessment, and security authorization 
decisions. CMS also provided us additional information on timing of certain steps 
after the May time line. Some key targets had been moved to later dates as the de- 
velopment of the hub was continuing. It is important to note that these were inter- 
nal target dates set by CMS for these milestones and not mandated deadlines. 

For example, in March, the security control assessment test plan was targeted to 
be provided to CMS on May 13, 2013, and this due date was subsequently moved 
to July 15, 2013, and the start date of the security control assessment was moved 
from June 3, 2013, to August 5, 2013. CMS stated that the security control assess- 
ment time frame was moved so that performance stress testing of the hub could be 
finished before the assessment and any vulnerabilities identified during the stress 
testing could be remediated. Otherwise, CMS might need to perform an additional 
assessment after the remediation was complete. 

According to CMS’s time line from May 2013, the security authorization decision 
by the CMS CIO was expected on September 30, 2013. OIG noted in our report that 
if there were additional delays in completing the security authorization package, the 
CMS CIO may not have a full assessment of system risks and security controls 
needed for the security authorization decision by the initial open enrollment period 
set to begin on October 1, 2013. In its comments on our draft report, CMS stated 
that it was confident that the hub would be operationally secure and it would have 
a security authorization before October 1, 2013. 

Since our review, CMS has reported to us that the security authorization was ob- 
tained on September 6, 2013. 

Coordination Between CMS and Its Federal and State Partners 

Our review observed that CMS was coordinating with its Federal and State part- 
ners during the development and testing of the hub, in part to ensure that security 
measures are implemented by all stakeholders. CMS developed an approach for 
interagency testing and has developed test plans. At the time of our review, CMS 
was in the process of executing its test plans, which included testing for secure com- 
munications between CMS and its Federal and State partners and performance 
stress testing of the hub. In addition, CMS has developed security-related docu- 
ments and security agreements regarding Federal information systems and net- 
works. The Federal partners are the IRS, Social Security Administration (SSA), De- 
partment of Homeland Security (DHS), Veterans Health Administration (VHA), De- 
partment of Defense (DoD), Office of Personnel Management (0PM), and Peace 
Corps. 

CMS has developed security-related documents related to the hub and the ex- 
changes. CMS developed Interface Control Documents (ICD) with all of its Federal 
partners. The ICDs provide a common, standard technical specification for transfer- 
ring ACA-related information between CMS (the hub) and its Federal partners. The 
ICDs establish standard rules, requirements, and policies (including security-related 
policies) with which the development and implementation of the interfaces between 
CMS and its Federal partner must comply. CMS and its Federal partners collabo- 
rated in developing the ICDs and signed the ICDs in May 2013. 

Federal policy requires agencies to develop Interconnection Security Agreements 
(ISAs) for Federal information systems and networks that share or exchange infor- 
mation with external information systems and networks.'^ The Master ISA describes 
the systems’ environment; the network architecture; and the overall approach for 
safeguarding the confidentiality, integrity, and availability of shared data and sys- 
tem interfaces. In addition, the Master ISA contains information on CMS informa- 
tion security policy and the roles and responsibilities for maintaining the security 
of ACA systems. 

CMS completed a preliminary review of the Master ISA between CMS and the 
developer of the hub on April 2, 2013, and the Associate ISAs on May 15, 2013. 
Each of the Federal partners will provide similar information pertaining to the part- 
ner agency in the Associate ISAs, which will be signed by the Federal partner au- 
thorized official. Since our review, CMS has reported to us that all ISAs with its 
Federal partners are expected to be approved by September 27, 2013. 

A service-level agreement (SLA) is a negotiated a^eement between a service pro- 
vider and the customer that defines services, priorities, responsibilities, guarantees. 


'^Specifically, Office of Management and Budget Circular A— 130, Appendix III, requires agen- 
cies to obtain written management authorization before connecting their IT systems to other 
systems. The written authorization should define the rules of behavior and controls that must 
be maintained for the system interconnection. 
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and warranties by specifying levels of availability, serviceability, performance, oper- 
ation, or other service attributes. A SLA is needed between CMS and each of its 
Federal partners to establish agreed-upon services and availability, including re- 
sponse time and days and hours of availability of the hub and the Federal partner’s 
ACA systems. According to CMS’s project schedule, the SLA with IRS was com- 
pleted on March 15, 2013; the SLA with DHS was expected to be signed by July 
26, 2013; and the SLA with SSA was expected to be signed by September 27, 2013. 
The SLAs with the remaining Federal partners (VHA, DoD, 0PM, and Peace Corps) 
were expected to be signed by September 20, 2013. Since our review, CMS has re- 
ported to us that the SLAs with IRS, VHA, and DHS are expected to be signed be- 
fore the end of September. CMS also reported that DoD-Tricare and CMS have 
agreed to allow transactions to occur and monitor the “response time metric” to set 
a baseline for the interaction standards before they execute their SLA. They expect 
to execute their SLA by the end of December. 

CONCLUDING OBSERVATIONS 

CMS is taking steps to ensure that there are adequate security measures for the 
hub in compliance with NIST guidelines. At the time of our review, CMS was work- 
ing with very tight deadlines to ensure that security measures for the hub were as- 
sessed, tested, and implemented by the expected initial open enrollment date of Oc- 
tober 1, 2013. 

Our report provided the status of the implementation of key security require- 
ments at a point in time. CMS has reported to us that it has completed all of the 
required steps and obtained its security authorization on September 6, 2013. We 
have not independently verified CMS’s progress since completing our audit. 

Thank you for your interest in our work on this important issue and the oppor- 
tunity to be a part of this discussion. I would be pleased to answer your questions. 

Mr. Meehan. Thank you, Ms. Daly. 

The Chairman now recognizes our last panelist, Mr. Sale. 

Mr. Sale 

STATEMENT OF MATT SALO, EXECUTIVE DIRECTOR, 
NATIONAL ASSOCIATION OF MEDICAID DIRECTORS 

Mr. Salo. Great. Thank you very much. Chairman Meehan, 
Ranking Member Clarke, other Members of the committee and sub- 
committee. 

My name is Matt Salo. I am the Executive Director of the Na- 
tional Association of Medicaid Directors. I appreciate the oppor- 
tunity to testify on their behalf 

It is important to talk a little bit about what Medicaid is; why 
is Medicaid here at this conversation about the hub? Medicaid 
itself does a lot more than most people think. 

We deal in numbers of that are astronomical. We are going to 
spend close to $500 billion this year covering 72 million Americans. 
It is a State and Federal program. Our members are the ones in 
every State and territory who actually administer the program. 

We are here in large part because again, not very well-known, 
but Medicaid really is kind of the centerpiece of the ACA. The ACA 
spent about $1 trillion over 10 years, half of that goes into Med- 
icaid, to the expansion, and for other changes to it. 

So obviously, the ACA or Obamacare is a highly politically- 
charged issue. We know this, but what is also true is that the im- 
pacts of the law are very real and are very real for the citizens of 
this country, the citizens of each one of our States. 

For my members, as public servants, their primary job is to up- 
hold the law but also to ensure the health and the well-being and 
yes, the security of their citizens. 
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If things don’t go well, we get the calls. So it is very, very impor- 
tant that we make sure that things do go as well as possible, and 
there is going to be a lot of aspects of that. 

I think the primary ones for this issue are that our citizens not 
only understand but are able to access, afford, and be safe in their 
security in terms of the new health options that are going to be 
available to them. 

So while there has been a lot of talk and a lot of attention to big- 
ger picture issues like the expansion and State versus Federal ex- 
changes, we welcome the opportunity to talk about some of these 
under-the-hood types of conversations and the work that is going 
on. 

Other panelists have talked about the Herculean nature of what 
we are building here, the unprecedented nature. We have bandied 
around terms like moonshot earlier. 

There really is no precedence in terms of what we are trying to 
build here, and I think it is important to keep all of that in mind 
especially when confronting the fact that I think at least at the 
onset, people were envisioning that this was going to be a 
Travelocity of health care. 

While I think we may get there someday, I do not think it will 
look like that on Day 1 because in many ways, what is happening 
is the creation of the system is kind of like building a bridge start- 
ing at opposite ends of a river and trusting that they meet in the 
center. 

The challenge for Medicaid is that in many ways it is building 
56 different bridges and hoping and trusting that they will meet 
in the center. The challenges obviously are that there is never 
enough time, never enough money, never enough bandwidth to do 
all of these things. 

But having said all of that, again, this has been issue No. 1 for 
our members for the past several years. While there are many as- 
pects of this, security is a very, very important one as well. 

It is important to know that from our perspective as we build the 
connectivity between Medicaid and the hub, the concepts of the se- 
curity of the information are being baked in to that connectivity, 
and that the security and the privacy and the confidentiality of in- 
formation is not something that is new to us. 

We served 72 million people last year and we did so in a way 
that bridged lots of different gaps. Medicaid was able to commu- 
nicate with other programs like TANF for food stamps, SNAP. 

Medicaid was able to bridge the gap with Medicare to ensure 
care coordination for dual eligibles. Medicaid is able to bridge the 
gap with private insurance to do third-party liability, to look at 
citizenship documentation and that became part of the law a couple 
years ago, and in many of the aspects of program integrity that 
State and Medicaid programs take very, very seriously. 

This is a very, very important issue and it will be addressed and 
it will be one of the core functions of what we do. 

By all that, I do want to say though that when we are looking 
at October 1 or January 1, it is important to recognize that we are 
going to have a turbulent takeoff and we are going to have a 
bumpy road as we move forward because of the complexity of what 
we are doing, because of the nature of what we are doing. 
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But I think it is also important to note that from our perspective, 
we do not believe that security is one of those things that is going 
to be sacrificed or jettisoned in order to get this done right on time. 

That in fact we think there will be a lot of Day 2 , Day 3, Day 
4 mitigation plans and work that is being done, work that is being 
planned as we speak to try to figure out how do we take what we 
know will break down and fix it. 

Again, not on the security side, but in terms of the consumer 
interface where we know that people’s lives, people’s situations are 
messier than rules engines can usually handle, but we are working 
on this. This is what we do. 

I would just close with an analogy, you know, in some sense, 
what we are doing here is analogous to rolling out the Medicare 
Part D program. 

Although that seemed relatively straightforward, on Day 1 when 
we turned on all the lights, it was a bit of a mess, and we had a 
lot of seniors who were in pharmacies who didn’t know what was 
going on, couldn’t get their prescriptions, couldn’t get anyone to 
give them clear answers. 

It was the States, the Feds, and the plans who worked together 
tirelessly for months to figure out, how do we fix this? Now, in 
many respects, this is like Part D on steroids, but that is the com- 
mitment we have, and that is the vision that we see moving for- 
ward. 

This will work. It will not work perfectly. We do not believe secu- 
rity is going to be a primary concern on Day 1, and we will fix what 
happens and what breaks as we move forward. 

Thank you, and I am happy to answer any questions. 

[The prepared statement of Mr. Salo follows:] 

Prepared Statement of Matt Salo 
September 11, 2013 

Good afternoon Chairman Meehan, Ranking Member Clarke, and distinguished 
Members of the subcommittee. My name is Matt Salo, and I am the executive direc- 
tor of the National Association of Medicaid Directors (NAMD). I appreciate the op- 
portunity to testify before you today. 


medicaid 

Medicaid is the Nation’s health care safety net. Jointly financed by the States and 
the Federal Government, Medicaid spent more than $420 billion last year to provide 
health care to more than 72 million Americans. The program is administered by the 
States within a broad Federal framework which leads to enormous variation across 
States in terms of who is covered, what services are provided, and how those serv- 
ices are paid for and delivered. Furthermore, within any given State, Medicaid’s role 
is broad, varied, and complex. Medicaid funds close to 50 percent of all births, and 
the majority of all publicly-financed long-term care in this country. 

It also provides most of the Nation’s funding for HIV/AIDS-related treatments, 
mental health services, and others. 

It is therefore very difficult to talk simplistically about Medicaid (either Nation- 
ally, or within a State), despite its incredible importance in the U.S. health care sys- 
tem. 

NAMD was created with the sole purpose of providing a home for the Nation’s 
Medicaid directors and we represent all 56 of the State, territorial, and DC agency 
heads. Our two broad objectives are to give the Medicaid directors a strong, unified 
voice on National and Federal matters as well as helping develop a robust body of 
technical assistance and best practices for them to improve their own programs. 
While no two programs look exactly alike, the directors are unified in their heartfelt 
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desire to improve the health and health care of the growing number of Americans 
who rely on the program. 

IMPLEMENTING THE AFFORDABLE CARE ACT — OVERVIEW 

No issue has been more polarizing in recent memory than the Affordable Care Act 
(ACA), often known as “Obamacare.” While the ACA may not be wildly politically 
popular, or even well-understood, it is the law of the land, and it will have far- 
reaching and fundamental impacts on the citizens of every State in the Nation. 

Politics aside, the key to the success or failure of this new law lies in how well 
it serves our citizens; and how well they are able to understand, access, and afford 
their new health insurance options. In many ways much of the foundation hinges 
on reforms to the Medicaid program. The States have been working as quickly and 
effectively as possible for months, even years, to put together the pieces of this com- 
plex health insurance overhaul. 

To fully understand the Herculean task the ACA presented to State Medicaid pro- 
grams, we must acknowledge that States began this journey from very different 
starting points. Likewise, even several years after the official ACA launch we can 
still expect to see differences in the structure of Medicaid programs — and health 
care systems generally — as States determine how to best meet the diverse needs of 
their citizens. 

Regardless of their starting or ending points, there is a long list of changes that 
all States have to make to comply with the law. These include overhauling complex 
eligibility systems to conform to new standardized Federal rules. State Medicaid 
agencies also have been working to integrate with new health insurance market- 
places to ensure that individuals and families receive consistent, accurate informa- 
tion about their eligibility for public insurance programs. And they have endeavored 
to minimize the burden and confusion for individuals and families trjdng to navigate 
the rules for these new programs. 

Investments in this system overhaul are being made by States, and by the Fed- 
eral Government — with everyone involved fully committed to ensuring that they 
work as well as possible. As envisioned, the new system would be able to process 
a few consumer data points (name. Social Security number) and determine the in- 
surance program — Medicaid or the marketplace — for which each individual in a fam- 
ily would be eligible. It also would begin the actual process of enrolling and paying 
for that coverage. 

Achieving this vision requires real-time communication between States and the 
Federal Government and among multiple Federal departments that historically 
have never talked to one another. In many States, it requires a complete overhaul 
of decades-old Medicaid eligibility systems in order to interface with a new Federal 
“hub.” 

In addition to these technical hurdles, there is another reality to contend with: 
No two State Medicaid programs are alike. These differences have developed over 
the nearly 50 years of the program’s existence, and reflect the political and cultural 
dynamics of each State. These differences range from who is covered, which benefits 
are available and how care is both delivered and paid for, as well as the sophistica- 
tion (or too often, lack thereof) of the State eligibility and information systems, 
many of which were built in the 1980s. 

In a sense. States are building 50-i- bridges all at the same time, from different 
starting points and hoping that these efforts meet exactly in the middle. These 
bridges CAN be built and they are in fact being built now. But it is vitally impor- 
tant that we take heed of the lessons of complex policy implementations in the past 
as well as the expertise States have with program and system implementations. 

PRIVACY, SECURITY, CONFIDENTIALITY OF INFORMATION 

Security, privacy, and confidentiality are among the highest priorities for State 
Medicaid Directors. They also hold their vendors to the same high expectations and 
work with them to ensure they too appropriately safeguard personal information. 

While there have been security breaches in Medicaid, there have also been secu- 
rity breaches in the banking and credit card industries, with internet service pro- 
viders, and practically every other component of our increasingly interdependent 
economy. It is unrealistic to expect that these things can be prevented entirely, it 
is more important that we focus on how to minimize and mitigate the risks that 
are inherent in an interconnected society. 

States currently handle many of these types of information in a highly secure way 
as they make eligibility determinations for the more than 70 million Americans cur- 
rently on the program. States routinely work with chief information officers, con- 



25 


Sumer protection agencies, the inspector general’s offices in a variety of State and 
Federal agencies, and more in their efforts to protect consumer information. 

While the specifications of the systems being built to interface with the Federal 
data hub and the Insurance Marketplaces are new. States have decades of experi- 
ence working across program platforms to ensure privacy, confidentiality, and secu- 
rity of patient information (medical and otherwise). Whether its communicating 
with private insurance companies to do third-party liability determinations, working 
with other programs such as TANF or SNAP to eliminate redundancies, working 
with a range of Federal agencies to implement citizenship documentation require- 
ments, or working with Medicare to improve care coordination for individuals dually 
eligible for both programs. State Medicaid directors have significant experience and 
perspective. 

In each of these examples, it is important to note that the sharing of information 
across programs or payors is a vitally important function. In fact, the entire field 
of public health and program integrity would barely exist if data could not flow se- 
curely, quickly, and effectively. 

While I am not here to testify to the readiness schedule of the Federal data hub, 
we do know from experience of the high-level commitment to privacy and security. 
In fact, this commitment is one of the main drivers of our concern that the full 
range of operational capacity is not likely to be met by October 1. In fact, some of 
the earliest conversations with our Federal partners revealed a significant stance 
on behalf of IRS that it was more important to ensure that the exchange of data 
was done securely than it was to do it quickly. 

THE ROAD AHEAD 

As we approach the open enrollment date of October 1, 2013, there is one lesson 
that clearly stands out: We must be prepared for a turbulent take-off. 

The magnitude of the changes and the many different pieces that have to be 
linked together mean everyone — consumers, policymakers, and other interested 
stakeholders — must have reasonable expectations of the systems and programs early 
on. In many instances, the consumer experience will not be immediately smooth. 
Real people are going to be frustrated when accessing the system. Whether it’s a 
failure of computer algorithms to properly account for the startling complexity of 
real people’s lives, or the difficulty in ensuring that these multiple State and Fed- 
eral agencies are communicating in real time, it will be bumpy. 

However, it’s also reasonable to expect that the experience can and will improve 
over time. As they do in advance of any major implementation, Medicaid agencies 
are trying to predict, plan for and set up procedures to resolve the problems that 
will inevitably arise. At the same time they will continue working towards the ulti- 
mate goal of compliance with the law’s requirements and seizing other opportunities 
they’ve identified. 

The health and safety of Medicaid clients is the main concern of Medicaid direc- 
tors, and they will continue their on-going commitment to provide the best possible 
service to beneficiaries, while protecting the integrity of the program, and being re- 
sponsible stewards of taxpayer dollars. 

Mr. Meehan. Well, thank you Mr. Salo. 

I thank all of the panelists for their testimony. 

Let me begin, Mr. Salo, you made an observation and I think it 
was really important to recognize that some of the people that are 
at the most risk here are those in Medicaid, the poorest, those in 
the least capacity to be able to recover or help themselves in situa- 
tions where they may be taken advantage of 

You used the word “no precedence in its size.” Dr. Parente called 
it I think the greatest — the “largest personal data Government in- 
tegration project in the history of the Republic.” 

Ms. Daly, let’s get the elephant out of the room. You know, we 
are talking here about representations that have been made by an 
agency and findings that you made about their readiness to meet 
these deadlines. 

But we had the IG before us just a few weeks ago, the HHS itself 
said, and your reports confirmed they would not be ready until the 
30th at the end of this month. 



26 


That is in the course of the normal business. We know the chal- 
lenges. I am already suggesting this is the largest database in the 
history of the Republic. 

Now, we received a report which you just said that lo and behold 
it was done on the 6th. They are ready to go. 

Now this is an agency who for 3 years failed to meet a single 
deadline, and in your own IG’s report and virtue of every single 
deadline that was articulated as much as 3 months before there 
was not a single deadline met. 

Now you have stated yourself that this has not been done with 
any independent verification and the word continues to be just 
“trust us.” 

Ms. Daly, you are the Inspector General. Do you trust them? 

Ms. Daly. Chairman Meehan, I appreciate the opportunity to re- 
spond to that. In our report, we did point out that they had — some 
of the dates had moved from their original plan date. 

In fact, the date for the security authorization that was recently 
provided on September 6, in our report, we pointed out that it 
was — that is on September 30 — so that is what gave us pause and 
wanted to get that — the early information out to the Members of 
this oversight body so that steps could be at taken and pressure to 
bear where appropriate. 

So with that, we have recently been provided the assurance from 
the CIO at CMS through that security authorization decision, that 
is part of the normal NIST standards that are used and NIST, as 
you know, sir, it is the National Institute 

Mr. Meehan. I know those 

Ms. Daly. Yes, sir, very good. So with that, you know, we are 
just providing that information to you. We have not had a chance 
to go in and do a thorough assessment of it at this time given the 
short time span. 

Mr. Meehan. So you have passed this on, but let’s go through. 
Now what are the three steps? We understand that there are three 
steps in a NIST process. 

There is the identification of the program that we have. There 
is beta testing of that program. Once that is beta tested, you iden- 
tify the flaws in that program, you then fix that program, you then 
test it again to assure — and it is at that point in time that there 
is the certification. 

They were not even ready at that point in time, which was only 
2 or 3 weeks ago to certify to us that they had even done the appro- 
priate beta testing. 

Now you tell me how it is; we need your help. You are the person 
who is the independent verification, not just “trust us.” So how can 
we believe that what was originally scheduled not to be done ’til 
the 30th on a massive project in which they have failed to meet a 
single deadline has been done on the 6th and they have failed to 
give you any information as we said, did you get, when you asked 
for information about the documents — Mr. Astrue identified them 
specifically — you were not given those documents. They were held 
back from you. You are an Inspector General. Why wasn’t a de- 
mand made for those documents? 

Ms. Daly. Well, sir, actually, to be clear, in our report, we dis- 
cuss a number of documents that weren’t available at the time 
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Mr. Meehan. Well, if they are not available then, what makes 
you think that they were? Because that is part of the legal obliga- 
tions. This isn’t something that they just get to decide. They are 
going to determine how this process takes place. That is the NIST 
standards. 

Do you believe that they made up all of that ground in that short 
period of time? 

Ms. Daly. Well, sir, I can’t speak to that at this time. 

Mr. Meehan. What does your gut tell you? 

Ms. Daly. I don’t have a reaction. I generally, you know, being 
an auditor, I base our work on, you know, the generally accepted 
auditing standards and that is how we go about and do our work 
and I would have to go in and do a number of procedures in order 
to report back to 

Mr. Meehan. One of them might be real beta testing. Do you in- 
tend in light of what they — they have just made representations to 
you, we still have a period, do you intend to have the inspector gen- 
eral’s office use all of its resources to do the actual beta testing of 
certain parts of the facility before October 1? 

Ms. Daly. Well, sir, let me clarify for you that the beta testing 
is generally focused on the functionality of the system and with the 
functionality of the system, that is really more about how the user 
experiences that system and so forth. 

Mr. Meehan. But not security 

Ms. Daly. It is not really security. 

Mr. Meehan. So we haven’t even tested for security. 

Ms. Daly. Well, sir, to be — one of the key elements that the CIO 
should be considering as part of his security authorization decision 
is the independent security testing of its being done, and I want 
to highlight that it is independent, being done by a contractor, so 
that that provides that independent assurance to the CIO in per- 
forming that. But again, we have not seen the results of that. 

Mr. Meehan. Okay. My time has expired. 

I now recognize the Ranking Member, the gentlelady from New 
York, Ms. Clarke. 

Ms. Clarke. Thank you, Mr. Chairman. 

Ms. Daly, I just want to get some fundamental facts from you. 
If you can just give us a definition of the OIG’s role in the market- 
place and exchange and the Federal data hub, what exactly is 
OIG’s role there? 

Ms. Daly. Well, with regard to that, the OIG, as you know under 
the Inspector General Act, has certain responsibilities for fighting 
waste, fraud, and abuse, and protecting the health and safety of 
the you know, people and beneficiaries — the U.S. taxpayers basi- 
cally — and all of our citizens. 

That is where we emphasize. We don’t have a role in the oper- 
ation whatsoever. So it is very important that we maintain our 
independence in order to provide such an independent assessment 
when it is appropriate to do so. 

Ms. Clarke. So would you state that your role has not been fully 
activated yet just in light of the fact that No. 1, the data hub is 
just coming on-line, and the marketplaces are beginning to emerge 
now? 
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Or are you giving oversight to this process and looking or scruti- 
nizing the process to see whether in fact it is efficient or effective? 
Where do you see yourselves right now? What is the office doing 
at this particular point in time? 

Ms. Daly. Well, at this particular point in time, we have heen, 
as you know, monitoring the situation because it is unfolding daily, 
you know, trying to stay abreast of some of the prior work that had 
been done, looking forward and doing risk assessments on what is 
the appropriate use of our resources because our resources are 
stretched pretty thin. 

We have also been and I want to highlight this for the Members 
today, you know, coordinating with GAO, with State auditors, and 
with other inspector generals because we see that as critical be- 
cause this, is as everyone has noted, a huge enterprise. 

Ms. Clarke. So can you tell us about how you have performed 
your audit of the hub preparations and testing? 

Ms. Daly. Certainly. Our work really followed the generally ac- 
cepted Government auditing standards, and to do so, what we did 
is we were coordinating with GAO. GAO was in there reviewing 
the data hub and certain aspects of the exchanges through a, you 
know, a request that they had received. 

So we coordinated with them — I am sorry — to ensure that we 
didn’t duplicate any effort. You know, we have got a lot of the 
ground to cover, so we want to make sure that our work is com- 
plementary, not duplicative. 

So in that regard, they were doing certain aspects. They advised 
that they were not looking at the security over the hub, so we said, 
all right, we will look at the security over the hub. 

So we designed a program to ensure that the agents — to be able 
to assess whether the agency was in fact following the NIST stand- 
ards in that regard. 

Ms. Clarke. So why did you, as some suggest, just briefly note 
in the audit that you did not have access to the CMS security docu- 
ments? 

Ms. Daly. Well, Ranking Member Clarke, in our report we indi- 
cated that the agency had not provided us certain documents at 
that time. I think one of them specifically was a security test plan 
because it wasn’t available at that point in time. 

Then, you know, of course subsequently, it may have become 
available. It wasn’t that they refused, it just wasn’t available. 

Ms. Clarke. Okay. Is it available now? 

Ms. Daly. It could be. I think if we requested — I am pretty com- 
fortable it has been available now. They have provided us some up- 
dates of data that you know, has subsequently been done and some 
of the dates it was done on. 

Ms. Clarke. Can you, again, just give us a sense of why you 
didn’t engage the beta testing on the hub? 

Ms. Daly. Well, we didn’t engage that part because No. 1, that 
is usually towards the end of the project and our work primarily 
wrapped up really by the end of June. 

We got, you know, a quick update of certain dates before we pub- 
lished the report, but most of the work was done a bit earlier and 
some of that information and certainly any sort of beta version 
wasn’t available. 
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The other part would be that that would cover more functionality 
issues too, and that was really beyond our scope because we were, 
as we understood it, GAO would have been looking more at the 
functionality over the hub. We were focused on the security over 
the hub. 

Ms. Clarke. So is it that to a certain degree, there are some the- 
oretical aspects to I guess standing up the hub that makes it some- 
what exercise of futility for us to begin the testing? 

Or is it that you are waiting for a certain level of the operation 
to be complete before the testing becomes applicable? I am not 
clear on that. 

Ms. Daly. I appreciate that. The issue is there are certain as- 
pects of testing that cannot be done until the process is far enough 
along; until enough has been built in order to do any testing. 

Now to be clear, part of our audit approach was to look at the 
testing that was on-going by the agency as it was being built be- 
cause the agency employed a — actually, it is a system development 
process called Agile, and it is very popular right now because you 
can build things out fairly quickly. 

With that though, they are doing continuous testing as it goes 
on, but this is by, if you will, development personnel. So what hap- 
pens later on then is all independently confirmed, in accordance 
with what NIST calls for, and an independent security assessment 
that is done after all of the internal testing is done. 

So with that, you know, we said there wasn’t any time for us to 
go in and do it, and we didn’t want to duplicate any effort that was 
on-going. Instead, we reviewed the documents that they had avail- 
able. 

For example, as part of their on-going testing, we looked at 
whether they had identified any issues, whether they had logged 
those issues in as they should, whether they had corrective action 
plans in place, and saw the process that they were following. So 
that is the answer to that. 

Ms. Clarke. Okay. I am going to yield back, Mr. Chairman. 

Thank you for your testimony. 

Ms. Daly. Thank you. 

Mr. Meehan. I thank the gentlelady. 

The Chairman now — we will recognize as we do under the rules 
of the committee those Members in order of their appearance at the 
time of the gaveling down, and so appropriately, the Chairman now 
recognizes Mr. Perry, from Pennsylvania. 

Mr. Perry. Thank you, Mr. Chairman. 

Thank you folks for coming to testify. I must tell you that every 
single one of you with all due candor, your testimony is breath- 
taking in concern for me, and I think most Americans, and I imag- 
ine other Members of the panel. 

That having been said, I am not even sure. Maybe Mr. Sale, you 
can, I will direct my question to you, but just, I am not sure who 
should field this, but, you know, I think Americans and Members 
of Congress are concerned about the navigators. 

This is a new position for most people and we don’t know exactly 
what it is going to be like going to a navigator, but we have heard 
about some of their training. 
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It is my understanding that they will receive 20 hours of train- 
ing. I just think about that in the context of the information that 
these — folks they will be helping us as consumers decide what in- 
surance is best and how to enroll and while right now Members of 
Congress in our offices cannot advise the public on questions. 

We can’t do that right now but these folks are going to do that 
with 20 hours of training and I just want to alert you to the fact 
that in Pennsylvania — I don’t know about other States — but in 
Pennsylvania, it takes 1,250 hours to become a barber. 

All right, it takes a massage therapist 500 hours, and if you want 
to get a driver’s license in Pennsylvania, you have to have 65 hours 
on the road. 

But to navigate insurance for which has been — this thing has 
been on-going for a couple of years now and Members of Congress 
and the whole Federal Government can’t seem to get information 
out, these folks are going to be advising us with 20 hours. 

So with that, I am wondering, why — it was my understanding 
first of all, that it was originally 30 hours. Can you verify, can any- 
body verify that, and if so, why was it cut? 

Okay, nobody can verify that. 

These folks are, I guess, in that 20 hours — can anybody tell me 
what training these folks, navigators are going to perceive regard- 
ing the security of personal information? 

Okay, so — not that — necessarily that you should be able to an- 
swer those questions. You know, this is going to range from Social 
Security numbers to if a woman is pregnant or not. Various organi- 
zations which include these individuals are going to be contracted 
to do this. 

Let’s just pick one. I know it is somewhat inflammatory, but one 
would be Planned Parenthood. With the issue of pregnancy being 
one of the questions being asked, is there some safeguard? Is there 
some safeguard which offers consumers some kind of recourse? 

Let’s say that you know, in the information that is gleaned, the 
woman is pregnant and then this organization, any organization 
uses that information to advertise to this person their services. Is 
that appropriate? Is that allowed? What is the recourse? Can any- 
body provide any information? Okay. 

Let me ask you this. With regard to — and this is to Ms. Daly. 
Thank you very much. According to your testimony, you did not re- 
view the functionality of the hub or issues specific to the Privacy 
Act, but there is an independent — is it my understanding, there is 
an independent contractor that is going to be doing that or that is 
doing that currently? 

Ms. Daly. That is correct. Congressman. An independent con- 
tractor was supposed to be doing this security assessment that 
would cover over all issues related to security. 

With that though, that is supposed to have already been done be- 
cause it is supposed to be a critical part of the systems authoriza- 
tion that was just recently provided on September 6. 

Mr. Perry. So if that is done, is that information available? The 
outcomes so to speak or the report on that? 

Ms. Daly. I don’t believe that is generally available to the public, 
sir, just because of the sensitivity surrounding that because it 
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would show what was tested, how the system is configured, things 
of that nature. 

Mr. Perry. Well, would it — is there some report that will inform 
the public and Congress, Members of Congress, the Federal Gov- 
ernment, regarding the efficacy of that testing and the results? Is 
this system ready? Is it not? 

If it is not, because it is my understanding that the final testing 
for some of this stuff happens at the end of this month and it is 
supposed to go live the first of the next month, so we are 20 days 
away or thereabout, what is the plan or do you know of a plan if 
it fails? 

Ms. Daly. Well, sir, that is a very good point, and I just want 
to clarify that the testing I’ve been talking about focused on secu- 
rity aspects of the system, not on the functionality or efficacy of the 
system. 

So that was beyond our scope, so we didn’t focus on that because 
as I mentioned earlier, we were coordinating with GAO and we un- 
derstood that GAO was going to cover those aspects. 

Mr. Perry. But it is my understanding that the private con- 
tractor will be assessing those other milestones so to speak or effi- 
cacy. Is that your understanding or don’t you know? 

Ms. Daly. I honestly can’t speak to that, sir. I am sorry. 

Mr. Perry. Can anybody else? One of my — go ahead, Mr. Astrue. 

Mr. Astrue. I will say one thing. Speaking for myself, I never 
relied on a contractor to give complete assurance on these things 
because I mean, no disrespect to this particular contractor, but 
they are in business to keep the Federal Government contractors 
happy. 

They are not necessarily going to rock the boat. This is why an 
independent — this is exactly what Offices of Inspector General are 
set up to do is to make independent assessments about, you know, 
violations of legal rights, openness to fraud, these types of things. 

I am outraged that you would rely on any — I mean, MITRE is 
a terrific corporation, but I would never rely on MITRE, and I 
didn’t when I was going through dozens of these kinds of programs 
at SSA. 

Mr. Perry. I have a lot more questions, but I see my time has 
expired. 

I yield back. Thank you. 

Thank you, folks. 

Mr. Meehan. I thank the gentleman. 

The Chairman now recognizes the gentleman from Nevada, Mr. 
Horsford. 

Mr. Horsford. Thank you, Mr. Chairman. I thank you for this 
session. 

I want to start by first asking: There is in fact a private con- 
tractor who is doing this software system development on income 
and eligibility verification? Is that correct? Whoever can answer the 
question? 

Mr. Salo. At both the State and the Eederal levels, yes. I am not 
the expert at the Eederal level; I believe there is one contractor 
who is doing it at the Eederal level. 

At the State, generally, it is one contractor, but there are a vari- 
ety of different private entities that have all bid out with the re- 
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spective States to do this and to do various components of it rang- 
ing from eligibility and enrollment to identity-proofing to conduc- 
tivity with the hub, et cetera. 

But yes, these are generally private contractors. To be honest, I 
wish that the State experience with IT systems vendors was as 
rosy as Mr. Astrue said that they are all in the business of making 
them happy. That is not always true for us. 

Mr. Parente. But there is only one contractor that has responsi- 
bility for building the Federal data hub. 

Mr. Horsford. Now under at least the Health and Human Serv- 
ices Department, the collection of this type of income and eligibility 
data occurs across many programs currently, today, correct? 

Mr. Salo. Yes, that is correct at least with respect to Medicaid. 
As I referenced earlier, there are a number of different crosswalks 
that Medicaid has to do every single day for many of the 72 million 
people who walk in and out of the door whether that is other Fed- 
eral or State programs they may be eligible for; TANF, food 
stamps. You can sometimes work on a joint application to make 
sure that the shared information works there. 

For individuals who are dually-eligible for Medicare and Med- 
icaid, you are cross-walking information across those two programs 
both from a claims system, from a care coordination perspective, 
from a program integrity perspective. 

You know, Medicaid is the payer of last resort, so we tend to look 
for you know, does an individual have coverage from some other 
third-party insurance, or even some sort of settlement from a car 
crash or something? 

So we interface with those systems. Like I said in terms of citi- 
zenship documentation, we do all of that. We do all of that every 
day. The program couldn’t run if you didn’t do all of those things. 

You wouldn’t want the program to run if you weren’t accessing 
across programs to get that kind of information because if you are 
doing that without that kind of information, then you are working 
blind and that is not the way to go. 

Mr. Horsford. So Mr. Salo, you said in your testimony that it 
is important that we focus on how to minimize and mitigate the 
risks that are inherent in the interconnected parts of these systems 
and how they work. 

So my question and the question I hear from the majority of my 
constituents including the insurance companies, agents, businesses, 
they just want this to work, and they want Congress to stop play- 
ing games and to figure out ways to make the law work better. 

This is the same problem that there was under Medicare and So- 
cial Security when they were implemented. It is not going to be 
perfect on Day 1. So my question is: What are some specific rec- 
ommendations where we can identify the potential risks and miti- 
gate those risks and what are the steps that we need as Members 
of Congress to do to ensure that we are putting those steps in 
place? 

Mr. Salo. Well, I am sure you will get a lot of input from other 
members of the panel, but, you know, I would just say that I agree, 
you know, from our members’ perspective, we just want this to 
work because at the end of the day, it is the citizen, U.S. citizens. 
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citizens of the State who are impacted and they don’t care whose 
fault it is. If it goes wrong, they are going to blame us. 

You know, in terms of trying to make it work well for them, 
again, I think this type of conversation is and can be very useful 
as we raise potential issues. You know, are there, you know, con- 
tingencies that perhaps we haven’t thought of, whether they are se- 
curity-related or what have you. I think it is important to get those 
out in the open so we can think about those and plan for those. 

In terms of concrete recommendations, you know, the challenge 
really is, you know, again, we have got States coming at this from 
50 different places and, you know, there has been a challenge — 
there is a challenge in trying to build a system up in terms of time, 
in terms of money, in terms of bandwidth. 

There is a challenge when it comes to the timeliness of Federal 
guidance, in terms of, you know, what States can expect, what 
States have to go, because this is all being done with private con- 
tractors, you know, you need time to build into a proposal, into a 
contract, what exactly they are trying to build, and if you don’t 
know until the last minute, it is really hard to sort-of build that 
out quickly. 

So, you know, the extent to which transparency of information 
from the Federal perspective comes out in a quicker, more clear 
way, that would be helpful. I could go on, but I don’t want to take 
up too much time. 

Mr. Astrue. If I could add for just a few moments. Trans- 
parency, as my colleague has pointed out, is important and it is 
also important as the OIG said that these security documents not 
be fully public. 

I agree with that, but there is a difference in terms of trans- 
parency with you and you need to know whether the system is se- 
cure, whether it is violating privacy, whether it is doing its job, and 
you don’t know that right now. 

If the inspector general defines its job so that those things aren’t 
relevant areas, you need to go to GAO and you need to say to them, 
‘You need to fill the gap where the inspector general is not ful- 
filling its responsibilities.” I believe that the Senate has started to 
do that. 

Mr. Horsford. Thank you, Mr. Chairman. 

Mr. Meehan. Does the gentleman yield back? Oh, okay. I don’t 
want to assume anything. I am just — okay, thank you. 

At this point in time, the Chairman now recognizes the gen- 
tleman, Mr. Rogers. 

Mr. Rogers. Thank you, Mr. Chairman. 

Ms. Daly, based on your testimony, it seems to me that the issue 
isn’t when, or if, but when we are going to have a breach of the 
data hub or it is going to be leaked or some other problem. 

My question is: Has the IG’s office developed standards by which 
a breach such as that would have to be reported to you? 

Ms. Daly. Well, Congressman Rogers, the NIST also guides this 
area in which breaches are reported. There are, you know, certain 
ways that information needs to be reported, it has to be reported 
within a certain 
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Mr. Rogers. So you don’t have to come in afterwards and audit 
to find out about it, they have to notify you when they realize there 
has been a breach or a leak? 

Ms. Daly. That is exactly right. They don’t notify our office actu- 
ally, they notify the CIO’s office. That is who is responsible for 
managing that. 

Mr. Rogers. Are they also required to notify the individual 
whose information was leaked or breached? 

Ms. Daly. Well, it depends on if a true breach occurs. First, 
there is an assessment that is done of it determining the amount 
of encryption that might have been over the data, and if it is a high 
enough level of encryption, the individual does not need to be noti- 
fied. 

If there is a certain amount of, you know, risk involved with it 
and that is a determination that is made in the CIO’s office, then 
the individual of course is notified. 

Mr. Rogers. What about consequences for the navigators, the 
workers or navigators? If we find one of them has intentionally 
leaked or breached the security, are there criminal penalties of that 
you are aware of built into the law or regulations? 

Ms. Daly. Well, unfortunately, sir, I am not in a position to an- 
swer that today. 

Mr. Rogers. Anybody else on the panel? 

Mr. Astrue. Yes, there should be an array of — it depends on the 
nature of the offense, but there should be an array of Federal and 
State penalties. 

Mr. Rogers. That would already be in existence regardless? 

Mr. Astrue. It wouldn’t — not to say that it might not help for 
Congress to clarify on that, but there would be existing tools for en- 
forcement if HHS chose to use them. 

Mr. Rogers. Great. This question would be for Mr. Salo or Mr. 
Astrue. 

I have got here a letter signed by 10 State attorneys general, 
Alabama as being one of them, to Kathleen Sebelius last month 
and among the questions — they asked several questions they would 
like clarification on, but among the questions they ask is — and this, 
I think about Medicaid when I think about this since the State is 
so heavily involved in it is what is the State’s legal liability in this 
new endeavor if there is a breach? Do either one of you know? 

Mr. Astrue. Well, with the qualification that I gave up my law 
license a few years ago, I think generally on these matters 

Mr. Rogers. Voluntarily? 

Mr. Astrue. Yes, I did. I did. 

Mr. Rogers. Just joking. 

[Laughter.] 

Mr. Astrue. No, actually, I was afraid as a head of a Govern- 
ment agency I was going to get sued individually, people would go 
after my bar license, and I decided to give it up. 

Mr. Rogers. I am a recovering attorney myself. 

Mr. Astrue. Yes. I think as a general matter, this statute, what- 
ever else you might say about it is a classic example of a statute 
that preempts a lot of State laws. In fact, that has been part of the 
challenge to the validity of the statute in the first place. 
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So I think while I would not want to say that there might not 
be some liabilities for States depending on how much discretion 
they were using implementing the act, my personal view would be 
that most of the activities because they are being required by the 
Federal Government would give the State some immunity from 
suit. 

Mr. Rogers. Well, it just concerns me that 10 State attorneys 
general collectively, legally can’t discern whether or not they have 
that liability and one of the things they ask in the letter is do they 
have or do their respective States have the legal capacity or obliga- 
tion to add to or supplement the criteria by which this system is 
operated to make sure they don’t have legal liability. Do you know 
if the States will have that latitude to supplement the security cri- 
teria? 

Mr. Astrue. I think certainly for some features of the act they 
will have ability to do add-ons. I believe it was designed with, I 
mean, it is tough to tell from the statute, but it does appear that 
to me, that it was designed with that intent, and certainly to the 
extent that you are going beyond the Federal mandate in a discre- 
tionary way, it does seem to me that you would be running some 
risk of losing the protection of the Federal preemption. 

Mr. Rogers. Great. My time is expired. 

Thank you very much, Mr. Chairman, I yield back. 

Mr. Meehan. Does the Ranking Member have a request? 

Ms. Clarke. Yes, Mr. Chairman. I have a request that the com- 
mittee — a request for unanimous consent to have Congresswoman 
Sheila Jackson Lee of Texas sit in and make a comment during our 
proceedings today. 

Mr. Meehan. Without objection, so ordered. 

Consistent with the rules of the committee, those Members of the 
committee who are present will take precedence over those who 
join us. 

So I know the gentlelady will yield while we turn to the former 
U.S. attorney from Pennsylvania, Mr. Marino, for his questioning. 

Mr. Marino. Thank you. Chairman. 

Good afternoon, and thank you, folks, for being here today. 

Ms. Daly, you have some tough questions that you answered and 
you are between the devil and the deep blue sea here because of 
what the AIG technically is supposed to do but based on the lack 
of information that you may have. 

So my question to you is: How can security authorization be 
made without assurances to you as the IG, that the system itself 
is secure? Could you explain that to me please? 

Ms. Daly. Well, thank you for the question. Congressman 
Marino. 

As part of the NIST guidelines for developing systems, rolling 
them out, what are the best practices agencies should be following, 
that is what we have looked at with regards to security for the 
data hub. 

As part of that process, the agencies are supposed to be doing 
some, you know, continuous testing as it is developed that looks at 
security and other things too, but our focus was on security, and 
then at the end, once they get everything developed, they are sup- 
posed to have an independent security assessment. That is critical. 
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Mr. Marino. But your assessment then is based on the informa- 
tion that you are provided. Correct? 

Ms. Daly. That is correct, sir. 

Mr. Marino. You are not making any leaps of faith or conjec- 
tures beyond at that point? You are not determining any what-ifs? 

Ms. Daly. That is correct, sir. Yes, we basically are reporting out 
facts in this case. If we had seen something that was a significant 
violation in any way, we certainly would have reported that and 
made a recommendation that things be fixed. 

Mr. Marino. Based on what you received. 

Ms. Daly. Exactly. 

Mr. Marino. It is like a computer, whatever you put in is the 
only thing you are going to get out of it. So the only information 
you get, you based your assessment on what you are given? 

Ms. Daly. That is correct, sir. We compared what the testing and 
the system development documents showed compared to the stand- 
ards that were in place at that time for that purpose. 

Mr. Marino. This is interesting. I got a phone call from a con- 
stituent who works for the State and that person has an insurance 
health program paid for in part by the State. So that person went 
to the Social Security Office and because he wanted to get informa- 
tion about Medicare because of the age; 64, 65. 

That person asked why I needed to sign up. As that person ex- 
plained, “I already have insurance, I don’t need it. It is being paid 
for. Why put the taxpayers to an extra cost of now the Federal Gov- 
ernment paying and my employer coming in second?” 

The answer the clerk gave him was that, “We need this to track 
you and to garner information about you.” 

Okay, now, I found that kind of odd. He said, “Well, I only want 
to sign up for Part A of this,” and he again told her that he had 
insurance and she told him that he would be charged the penalty 
if he signed up later but the Government needed a system where- 
by — needed information whereby to track him so they could have 
information on him to see if he is paying for insurance or has in- 
surance. 

Can anyone address this for me? Because I am at quandary as 
to why. 

Mr. Astrue. Mr. Marino, with all due respect to my former em- 
ployee, I don’t think that that is an accurate description. My recol- 
lection, which is a little soft on the edges is that there was a policy 
decision made in the late 1960s to link the two together in this 
way. 

It has been litigated. I don’t think the rationale of HEW at that 
time is 100 percent clear. It was litigated fairly recently and I re- 
member being consulted on that litigation a couple of times within 
the administration in 2007, 2008. 

I don’t remember when the case was decided. I think it was 
about 2010, but the decision was that the agency had appropriately 
linked those two programs together. 

But again, I don’t think the rationale for why was ever particu- 
larly — I think it was lost in the midst of time by the time it got 
litigated, but I don’t think that my former employee’s description 
is probably accurate. 
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Mr. Marino. Okay. Mr. Astrue, since we are talking here, can 
you give me — I know you can go on for a while here, but I only ac- 
tually have — no, actually, I am over my time, but if you could give 
us a little synopsis of your opinion of the IG report; pro and con. 

Mr. Astrue. Yes, I am extremely negative. I think that essen- 
tially what happened here is this is not according to GAAP prin- 
ciples. 

Essentially, they went in, said, “How are you doing?” And they 
said, “Well, we are running behind, but we are doing great.” And 
they said, “Can we see all of the relevant documents?” And they 
said, “No.” 

If you go and read through the report carefully, you will see that 
the security plan was due on July 15 and there is nothing in the 
report that says that it wasn’t done on July 15, and this is an Au- 
gust 2 report. 

There must have been a draft at that point and I am just not 
used to the idea that the inspector general comes in and asks for 
things and you say no. I logged years in the agency and I can’t re- 
member that happening. 

So this is a new IG. This is a new IG that is failing in its duty 
to the American people to dig into what is happening and give an- 
swers to the Congress and the American people. I think it is really 
sad. 

Mr. Marino. Thank you. I yield back my over-spent time. 

Mr. Meehan. I thank the gentleman, and the Chairman now rec- 
ognizes the gentlelady from Texas who we are happy to have joined 
us on the panel today for 5 minutes. 

Ms. Jackson Lee. I thank the gentleman and the Ranking Mem- 
ber for their courtesies, and I think I have some pointed 2 or 3 
questions and then a brief comment. 

I just always believe the importance of oversight and fact-finding, 
and I wanted to ask Mr. Astrue, has he engaged our present in- 
spector general in a one-on-one conversation or viewed his docu- 
ments before your testimony was prepared? 

Mr. Astrue. No, I have not. 

Ms. Jackson Lee. Then I guess the follow-up is you have first- 
hand knowledge of what might be some fractures in the structure 
of exchanges presently being constructed. 

Mr. Astrue. I had first-hand knowledge through, to some extent, 
through February of this year, yes. 

Ms. Jackson Lee. In what capacity? 

Mr. Astrue. As commissioner of Social Security. 

Ms. Jackson Lee. Had the infrastructure of the exchanges begun 
and to what extent? 

Mr. Astrue. They had begun since at that point in time, but 
there was a still a great deal of fluidity in it which for me was the 
source of considerable concern because the time at that point was 
really, in my opinion, already too short to do the job properly. 

Ms. Jackson Lee. But that was an opinion? Wasn’t it? 

Mr. Astrue. Yes, indeed. 

Ms. Jackson Lee. It was February 2013? 

Mr. Astrue. I left office on February 13, 2013. 

Ms. Jackson Lee. But of this year or last year? 

Mr. Astrue. This year. 
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Ms. Jackson Lee. Yes. So we are now in September. 

Mr. Astrue. That is right. 

Ms. Jackson Lee. So you are reflecting on the first-hand knowl- 
edge that took you up to February and not much further than that. 

Let’s — I thank you for that. 

Let me just go to Mr. Salo. National Association of Medicaid Di- 
rectors, and I am sorry that I missed the explanation of that, but 
let me go right to the crux of where we are. We all should be con- 
cerned about personal information. 

However, I think the magnitude of the Affordable Care Act and 
its overall impact on health care in America is an enormous a step 
forward for saving lives in America. 

What would be — do you think we are in the mouth of a whale? 
Are we about to be swallowed or are we moving forward with the 
appreciation and respect for personal data as you can see it from 
your perspective? 

Mr. Salo. Oh, I think there has been a very, very long-standing 
and very, very serious commitment to personal data on behalf of 
Medicaid, on behalf of the Medicaid directors. They know full well 
what happens if there is a security breach, and it something that 
nobody wants. 

There are contingency plans. There is constant work being done 
with chief information officers, with the State IGs, with security 
experts all the time in Medicaid. 

I think the thing to keep in mind about the big picture here, you 
know, whether we are talking about being swallowed by whales or 
not, is that security and privacy of data is always a concern, but 
the thing that has changed is the increasingly interconnected na- 
ture of not just our health care system but our overall lives in gen- 
eral. 

You know, I am not an expert in banking or credit cards or inter- 
net service providers. There are challenges there. The challenges in 
health care have changed. 

You know, we used to store information in unlocked file cabinets 
in the back of somebody’s office. Was that secure? No, it wasn’t. So 
you had to put in place procedures. We have decided as a society, 
I think rightfully so, that that is not where we want to be and 
what we need for a variety of reasons is to have much more fluid 
interconnection of data electronically; whether it is claims or insur- 
ance information or what have you. 

This is a good thing. It does bring with it different challenges to 
secure privacy. Not insurmountable ones, different ones. So we 
adapt accordingly. So I would just see what we are looking at here, 
whether it is dealing with the Federal hub or what have you, is an 
outgrowth of that natural progression of how do we figure out how 
best to secure this information in this inevitable changing world. 

Ms. Jackson Lee. My time is ending, I just want one simple 
question. Is this any reason to stop moving forward on the Afford- 
able Care Act processes that have been put in place by the Con- 
gress and by Health and Human Services? 

Mr. Salo. To the best of my knowledge, we will not have security 
breaches 

Ms. Jackson Lee. But this is no reason not to go forward? 

Mr. Salo. That is correct. 
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Ms. Jackson Lee. Thank you. 

Let me thank my colleagues and to say that this is an important 
hearing, and I also think the issue of affordable care is crucial and 
I think that we are where we need to be, we just need to be par- 
ticularly more cautious, and I think we can all work together to do 
that. 

Let me yield back. Thank you so very much. 

Mr. Meehan. I thank the gentlelady for taking the time to join 
us here today. Let me — I have a few follow-up questions that I 
would like to pursue. So I recognize myself again for 5 minutes. 

Let me just — Dr. Parente, you made some observations in your 
testimony and I don’t want to just leave them hanging out there. 
You are an expert in dealing with health care databases, you 
worked intimately in these in the past. You opined in your testi- 
mony about concerns of not understanding how the system would 
work and the potential for fraud. Would you please elaborate on 
that? 

Mr. Parente. I will even go further and say most of what I have 
heard today has not reassured me for several reasons. The first is 
I have worked, myself, as an independent verification and valida- 
tion contractor for some Federal databases, actually one in the 
State of Maryland when Maryland took a step in the 1990s to put 
together an all-payer database, one of the first in the Nation. 

I worked at the time with the Delmarva Medical Foundation and 
where I worked at Project Hope to essentially be that independent 
verification and validation contractor and there was a public report 
and because the Maryland State legislature required it. 

I personally find it unconscionable that this contractor, whoever 
it is, is not at least going to have an executive summary that actu- 
ally talks about by efficacy the performance standards that would 
be essentially the safeguards that have been put in for vulner- 
ability tests for the white-hat types of operations that are supposed 
to be put into place to make sure that all potential compromises 
have been taken into consideration. 

Mr. Meehan. Those would be the kinds of things that the certi- 
fying officer would have to not only look at but review and rely on. 
Isn’t that right? 

Mr. Parente. Absolutely, and when I took that roll-on for the 
State of Maryland, it was a 1-year contract. When I entered and 
went to look at those databases, worked with other contractors to 
look at them at different State sites because there were several dif- 
ferent vendors involved, and that is one small State, let alone the 
scale and enormity of what we are discussing today. 

Mr. Meehan. Well, in light of that, and that is one of the con- 
cerns because we talked about the scope and scale of this — Mr. 
Astrue, you as well, and again, I know that we are asking only for 
your opinion and not the kinds of asking statements of fact, but I 
do appreciate once again your testimony touched on something 
rather significant and you discussed that there was a period of 
time in which you believed that the HHS may have backed away 
from its obligations under the Privacy Act and potentially even in 
violation of the law. Can you articulate? Did I get that correctly 
and would you say what you mean? 
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Mr. Astrue. Yes, no, and there is a process for this in both — and 
the IRS came to the same conclusion at about the same time — so 
we both filed. 0MB is the arbiter on those cases and they stalled 
for a very long time because HHS really didn’t have very much to 
say on the Privacy Act issues. 

So it sat for months and months and months. It was not resolved 
at the time that I left and at some point subsequently I understand 
they decided that all these issues were under the routine-use ex- 
ception, but I think that is a real abuse of routine use. 

You know, whether you believe in the Affordable Care Act or not, 
you in the Congress wrote the Privacy Act. You imposed criminal 
penalties for violations of the Privacy Act and so those of us who 
are in the Executive branch or were in the Executive branch, we 
are supposed to be respecting that. I found the HHS disregard for 
the Privacy Act to be really shocking. 

Mr. Meehan. Let’s pursue that for a second. Again, as a former 
prosecutor, I am concerned about this issue of routine use and, for 
the record, routine use is, “a disclosure of a record, the use of such 
record for a purpose which is compatible with the purpose for 
which it was collected.” 

So anything beyond that would be a violation of routine use. So 
we are already beginning to collect information that relies to some 
database and then there is a broad, broad expansion of how infor- 
mation originally collected is going to be utilized. Is that not accu- 
rate? 

Mr. Astrue. Yes, that is correct. 

Mr. Meehan. Okay, so even if there is an interpretation with re- 
gard to that within routine use because it is all part of a hub and 
it is used as verification, one of the great concerns I have has been 
the derivative use of information that is being gathered by naviga- 
tors. 

So where we have navigators who are going to be asking person- 
ally identifying information, do we have any checks on whether or 
not they will have any other kind of use except for the sole pur- 
pose, the entire sole purpose of facilitating activities on the ex- 
change? 

Mr. Astrue. No, I think that is a fine point. You, Mr. Chairman, 
and other Members of the committee earlier pointed out that these 
are not even typical Americans. These are disproportionately dis- 
advantaged Americans in some of our most vulnerable populations. 

To send navigators out with a minimum of training, no back- 
ground checks in many instances, that is an invitation for fraud. 
I have spent — I have been working on fraud against the elderly 
since 1979 off and on in my career, and I just shudder at the 
thought of untrained people, unsupervised by, in any substantial 
way by HHS, going out with no real monitoring or accountability 
systems saying, “Hi, I am here from the Federal Government. Let’s 
talk about some of the most intimate choices you need to do, and 
you need to apply for this, and by the way, what is your Social Se- 
curity number?” 

I mean, that is exactly the thing that the inspector general 
should be screaming bloody murder about because if that is not an 
invitation to widespread fraud against our most vulnerable people 
in this country, I don’t know what is. 
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Mr. Meehan. Are you aware of whether or not there is, within 
this, the requirement that there he background checks for any indi- 
vidual who is going to serve as a navigator? 

Mr. Astrue. My understanding is that many of these people are 
being hired without background checks. 

Mr. Meehan. So somebody could be actually convicted of identity 
theft and then become a navigator? 

Mr. Astrue. I think you need to ask 

Mr. Meehan. Mr. Salo, is that accurate? Are you doing back- 
ground checks on anybody that you are familiar with? 

Mr. Salo. Navigators aren’t actually a Medicaid function so we 
are not directly involved in the hiring of them so I can’t speak to 
whether or not there are adequate background checks or other se- 
curities there. 

Mr. Meehan. Mr. Astrue, let me just ask one other question 
again because I am trying to create a record because I want to see 
what is going to happen at some future time, and the bottom line 
is again because we can foresee the potential for utilization of in- 
formation that is beyond the scope of even an interpretation of 
what would routine use be and we have now identified. 

Now those people who have certified the stability of this system 
in light of the recognition that those are potential things here, will- 
ful acts of the privacy, the Federal Government itself, and I have 
the case law that supports it. 

It is a willful — it is the — imposes liability on the agency when 
they violate the Privacy Act by willful or an intentional matter ei- 
ther by committing the act without grounds for believing it to be 
lawful or flagrantly disregarding other’s rights under the Act. 

Mr. Astrue. That is exactly right and the issue first came to my 
attention, and I know I talked to a Washington Post reporter last 
night who was quite sure that everything I said was horribly polit- 
ical and ideological, but this issue first came to my attention be- 
cause my own civil servants who would be doing this came to me 
and said, “I am afraid I am going to be prosecuted for doing this.” 

Mr. Meehan. Wouldn’t it be prudent and do you believe that the 
standard of responsibility is such that before certifying it there 
would be checks to assure that people with criminal records would 
not have access to personally identifying information of individuals 
who were going to be signed on to the exchange? 

Mr. Astrue. Absolutely. They are going to be asking for extraor- 
dinarily sensitive information in many cases including — it is just a 
Social Security number. You know, people can run wild and destroy 
someone’s life, you know, taking a Social Security number. It is a 
big problem in our society. 

Mr. Meehan. My time has expired. 

I now ask the Ranking Member if she has follow-up questions. 

Ms. Clarke. I do, Mr. Chairman. 

I would like to follow up with Mr. Salo. Your testimony mentions 
all of the ways in which States and State Medicaid programs al- 
ready work with a variety of public and private data systems. State 
Medicaid programs already communicate with Federal agencies to 
verify citizenship. Isn’t that correct? 

Mr. Salo. That is correct. 
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Ms. Clarke. They may communicate with other programs like 
TANF and SNAP as well? 

Mr. Salo. Correct. 

Ms. Clarke. They also communicate with private entities like 
private insurance companies, right? 

Mr. Salo. Correct. 

Ms. Clarke. Is it correct for me to assume that data that is 
transmitted is personally identifiable? 

Mr. Salo. In many cases, yes it is. Not always, but if it needs 
to be, it is. 

Ms. Clarke. So State Medicaid programs across the country 
have for years exchanged personally identifiable data with Federal 
and private data systems. We know that any data system can be 
susceptible to a breach, but have State Medicaid programs experi- 
enced any program beyond of those we see in the data systems of 
private industry? 

Mr. Salo. No. 

Ms. Clarke. So could State Medicaid programs function without 
this ability to share and retrieve data from other systems? 

Mr. Salo. No, and I don’t think we would want it to. 

Ms. Clarke. You have described a heavy lift for States, but also 
a good partnership with the Federal Government to get this accom- 
plished. It is my understanding that HHS has made a 90:10 match- 
ing rate available for upgrades to States’ eligibility and enrollment 
systems regardless of whether a State chooses to expand. 

Can you comment on the number of States that have availed 
themselves of this funding? 

Mr. Salo. Yes, my understanding is that literally every State has 
availed itself of that funding. There were certainly some examples 
of States that had turned back other specific funding for, call it 
early innovator grants, but in terms of the money that it took and 
that it is taking to update, to upgrade, to transform the current 
Medicaid eligibility systems, many of which are legacy systems that 
go back unfortunately to the 1980s, every State has availed itself 
of the 90:10 funding. 

The question then actually is: Is 90:10 enough? The question is: 
Even with that, even if there were enough funding, is there enough 
time to make those changes? Is there the bandwidth within the IT 
systems vendor community? 

You know, I often used to joke that when we look at the history 
of Medicaid and systems changes, the number of times that you got 
a contract in on time, on budget, and to spec was, well three times 
in the history of Medicaid. 

[Laughter.] 

Mr. Salo. So, a lot of people, I think myself included would 
argue you just need to do something very, very different here. But 
having said that, in the run-up to October 1, and in the time soon 
thereafter, the States and the Feds and the IT systems vendors 
have worked double, triple, quadruple overtime to make this work. 

So we do believe the system will be up and running come October 
1. As I said, it will be bumpy. The consumer experience will not 
be a smooth and seamless Travelocity, but it will be a system in 
place that with workarounds, with, you know, having contingency 
plans going back to using paper, going into the Medicaid office. 
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what have you, insurance and subsidies, and that will be available, 
and it is our goal, it is our plan over the next couple of months to 
make sure that we improve that as we go. 

Ms. Clarke. I would agree with you. So much of our information 
is in the public and private domain that, you know, I think we 
need to take a step back and give this an opportunity to rollout and 
work with it to make sure that the American people get the very 
best access to health insurance that they possibly can. 

I mean, just about every American has had an opportunity to go 
on-line and to provide information and you know, we don’t have the 
most secure, unbreachable IT operations in our own homes and 
families. 

So to sort of prejudge just how secure this process will be, will 
be pretty relative to the security of our IT systems. Nation-wide, 
the ones that we use each and every day whether it is to pay a 
phone bill, whether it is to purchase something on-line. 

I am concerned that we not create a panic around the situation 
but that we give it our best efforts in terms of providing an oppor- 
tunity to make this thing work and to work out the kinks as we 
go along. 

There are going to be kinks. We all know that. There is not one 
system that I know of that has been perfect. People have bought 
iPhones and they have been, you know, breachable right out of the 
box. So, you know, let’s not sit here and act as though we have per- 
fection on our side. 

Personal information is critical and its security is critical to all 
of us, but at the same time we have managed given the massive 
use of IT systems around this Nation to keep breaches to a min- 
imum given the number of people and transactions that take place 
each and every day. 

With that, Mr. Chairman, I yield back. 

Mr. Meehan. Well I want to thank the gentlelady for yielding 
back. 

I want to thank each of the witnesses for your testimony here 
today. I am grateful and I appreciate, with the exception of Ms. 
Daly, each and every one of you effectively don’t have to be here, 
that you were responsive to our inquiries, and I am grateful for 
your taking the time using your professional expertise to help us 
better understand a situation in which it is still my considered 
opinion that this hearing has demonstrated by virtue of testimony 
even more questions about the readiness. 

There has been testimony as said it is not a question that this 
needs to be a stepping-off point to prevent a system from being put 
in place, but is it ready to go today? 

At a certain point, is it so clear that it is not ready that the re- 
quirements that are continuing to push this forward at a certain 
point start to become perhaps not even just negligent, but other- 
wise. Great concern to me. 

Once again, I want to thank each of the panelists for their valu- 
able testimony. 

Well, I am not getting ready to close because the Member from 
Pennsylvania has one final question. 
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Mr. Marino. Thank you. I refer to my prosecutorial background 
as the Chairman does. We were U.S. attorneys together, but I want 
to bring up two points if I may. 

Mr. Astrue, you were questioned about when you left the agency, 
and I think it was pointed out that you hadn’t been there in, what 
would it be now, 9 months or 8 months. How long were you with 
the agency before that? 

Mr. Astrue. Six years and a day. 

Mr. Marino. You based your opinion on your experience over 
that 6-year period and what you had gleaned even before that in 
your career. 

Mr. Astrue. Sure, and since that time, I have tried to keep up 
on the issue. I don’t call into the agency, but people retire, you talk 
to people 

Mr. Marino. Well, we do call into the agency and ask because 
we get calls from our constituents, “What do I do about this?” 
“What do I do about that?” 

Since last year up until September, and I get the same answers 
now in September that I did last year and in January and Feb- 
ruary of this year is “We don’t know.” So given the fact that there 
have been waivers, delays, I don’t think much has changed over the 
last 1.5 to 2 years. 

In conclusion, ma’am, could you please tell me, did you ever have 
a point when you were doing these investigations concerning secu- 
rity that you thought maybe a statement should have been made 
to HHS, Health and Human Services, HHS concerning I don’t have 
enough data to form an opinion as to what the security is going to 
be or not be? 

Ms. Daly. Well, Congressman, I want to focus — initially, on the 
scope of our work, the scope of our work really wasn’t to provide 
an opinion. We were actually going out there to do just an audit 
over that. We were provided the data that we had requested if it 
was, even had been created. 

That is one of the challenges. I have done a number of system 
development jobs over my career of a variety of systems and it is 
always a challenge when you are doing this because you are doing 
something that doesn’t exist yet and so that makes it more chal- 
lenging to get all of the information 

Mr. Marino. Good point. I mean, did you ever raise that? These 
things do not exist yet, so how can we form a conclusion, a factual 
conclusion? 

Ms. Daly. Well, that is exactly right. So in those cases, that is 
why we reported that the information wasn’t available and when 
they expected to have it available. That is clearly what was in our 
report. 

If you could beg me an indulgence, I would like to say that I 
think our office of inspector general is one of the most highly-re- 
spected in the accountability community and that we do a tremen- 
dous job for the American citizen and taxpayer. 

Our office returned $6.9 billion in expected recoveries last year 
along with over 1,100 civil and criminal actions, and I think our 
record speaks for itself. Thank you. 

Mr. Marino. We rely on you. 

Ms. Daly. Thank you. Thank you. 
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Mr. Marino. We rely on you. 

Again, thank you so much. 

Chairman, thank you so much for indulging me. 

Mr. Meehan. Thank you. 

Ms. Daly, I do thank you for your service. 

I thank each of the panelists. The Members of the committee 
may have some additional questions for the witnesses, and if they 
are directed to you I would ask that if you can, you would respond 
in writing. 

So without objection, the committee, the subcommittee now 
stands adjourned. 

[Whereupon, at 4:32 p.m., the subcommittee was adjourned.] 
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